Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exe

Overview

General Information

Sample name:SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exe
Analysis ID:1427735
MD5:e1d8325b086f91769120381b78626e2e
SHA1:0eb6827878445d3e3e584b7f08067a7a4dc9e618
SHA256:b925abb193e7003f4a692064148ffe7840096022a44f4d5ae4c0abb59a287934
Tags:exe
Infos:

Detection

Glupteba, PureLog Stealer, zgRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Yara detected AntiVM3
Yara detected Glupteba
Yara detected PureLog Stealer
Yara detected UAC Bypass using CMSTP
Yara detected zgRAT
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Adds extensions / path to Windows Defender exclusion list (Registry)
Allocates memory in foreign processes
Creates HTML files with .exe extension (expired dropper behavior)
Disable Windows Defender real time protection (registry)
Disables UAC (registry)
Disables Windows Defender (deletes autostart)
Drops PE files to the document folder of the user
Drops script or batch files to the startup folder
Exclude list of file types from scheduled, custom, and real-time scanning
Found Tor onion address
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Modifies Group Policy settings
PE file contains section with special chars
Sample uses process hollowing technique
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates files inside the system directory
Creates or modifies windows services
Detected potential crypto function
Drops PE files
Enables debug privileges
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
PE file does not import any functions
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Windows Defender Exclusions Added - Registry
Stores files to the Windows start menu directory
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exe (PID: 7412 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exe" MD5: E1D8325B086F91769120381B78626E2E)
    • powershell.exe (PID: 7484 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exe" -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7492 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7964 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • CasPol.exe (PID: 7520 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe" MD5: 914F728C04D3EDDD5FBA59420E74E56B)
      • JPl4ZLOvy3fY5RSXGk5s9Gl5.exe (PID: 7912 cmdline: "C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exe" MD5: 3A4982B7D2352FB3089C01B9F33C25EB)
      • JIsbjewlnghreiCB15kllzTk.exe (PID: 7992 cmdline: "C:\Users\user\Pictures\JIsbjewlnghreiCB15kllzTk.exe" MD5: 281F44C8C6F0CFBC293E1FDB8B3EE782)
      • 7ifrWkUACu1QmnINWqs0eu9h.exe (PID: 8008 cmdline: "C:\Users\user\Pictures\7ifrWkUACu1QmnINWqs0eu9h.exe" MD5: 281F44C8C6F0CFBC293E1FDB8B3EE782)
      • T2RIU3FpH6dczIGTG32vuvvE.exe (PID: 8100 cmdline: "C:\Users\user\Pictures\T2RIU3FpH6dczIGTG32vuvvE.exe" --silent --allusers=0 MD5: EF199316DF30CB4E02F45F156EC63A9A)
        • T2RIU3FpH6dczIGTG32vuvvE.exe (PID: 8168 cmdline: C:\Users\user\Pictures\T2RIU3FpH6dczIGTG32vuvvE.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x298,0x29c,0x2a0,0x274,0x2bc,0x6c60e1d0,0x6c60e1dc,0x6c60e1e8 MD5: EF199316DF30CB4E02F45F156EC63A9A)
        • T2RIU3FpH6dczIGTG32vuvvE.exe (PID: 5740 cmdline: "C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\T2RIU3FpH6dczIGTG32vuvvE.exe" --version MD5: EF199316DF30CB4E02F45F156EC63A9A)
      • KI5P6OyhHMwNaNA4w0xtd3UY.exe (PID: 8124 cmdline: "C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exe" MD5: A25CDF843E60F609B970AC9414170A7A)
      • XEAazEoSTmJSOa66cXm6S07v.exe (PID: 2668 cmdline: "C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exe" MD5: 3A4982B7D2352FB3089C01B9F33C25EB)
      • QHuPF3k4no0JL9DdGqDYtkCG.exe (PID: 6480 cmdline: "C:\Users\user\Pictures\QHuPF3k4no0JL9DdGqDYtkCG.exe" MD5: 281F44C8C6F0CFBC293E1FDB8B3EE782)
      • Yz2gr4IqEnTCH1g642bo4hrO.exe (PID: 7016 cmdline: "C:\Users\user\Pictures\Yz2gr4IqEnTCH1g642bo4hrO.exe" MD5: 281F44C8C6F0CFBC293E1FDB8B3EE782)
      • 3wiDjAuNAMEeKc2Sp8AJvkHN.exe (PID: 7300 cmdline: "C:\Users\user\Pictures\3wiDjAuNAMEeKc2Sp8AJvkHN.exe" MD5: A25CDF843E60F609B970AC9414170A7A)
      • syLcQZGPHHUJ3M0wbg0XxQZf.exe (PID: 5496 cmdline: "C:\Users\user\Pictures\syLcQZGPHHUJ3M0wbg0XxQZf.exe" --silent --allusers=0 MD5: C2F0D0D1B405D1F1476B802BE5DD2ED3)
        • syLcQZGPHHUJ3M0wbg0XxQZf.exe (PID: 8040 cmdline: C:\Users\user\Pictures\syLcQZGPHHUJ3M0wbg0XxQZf.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x298,0x29c,0x2a0,0x274,0x2a4,0x6bf8e1d0,0x6bf8e1dc,0x6bf8e1e8 MD5: C2F0D0D1B405D1F1476B802BE5DD2ED3)
      • wjaGPzkDQjpdcbjBR9AwSFKW.exe (PID: 8044 cmdline: "C:\Users\user\Pictures\wjaGPzkDQjpdcbjBR9AwSFKW.exe" MD5: 5D5DA0738299D8893B79A6C926765E5F)
        • Install.exe (PID: 6740 cmdline: .\Install.exe /sQwdidHh "385118" /S MD5: E77964E011D8880EAE95422769249CA4)
      • SU1be6oqYDorLkUc1l6IPPFB.exe (PID: 7896 cmdline: "C:\Users\user\Pictures\SU1be6oqYDorLkUc1l6IPPFB.exe" MD5: 3A4982B7D2352FB3089C01B9F33C25EB)
      • Vh2fqCjm9jPtwuJrcfbbwxLj.exe (PID: 7660 cmdline: "C:\Users\user\Pictures\Vh2fqCjm9jPtwuJrcfbbwxLj.exe" MD5: 281F44C8C6F0CFBC293E1FDB8B3EE782)
      • PqdYh9kiVSkf3FjC9RDfcS2e.exe (PID: 7768 cmdline: "C:\Users\user\Pictures\PqdYh9kiVSkf3FjC9RDfcS2e.exe" MD5: 281F44C8C6F0CFBC293E1FDB8B3EE782)
      • 0XytwVHS3WE9jtGuuRid6GiP.exe (PID: 7216 cmdline: "C:\Users\user\Pictures\0XytwVHS3WE9jtGuuRid6GiP.exe" --silent --allusers=0 MD5: CD54757EAFA70E59850F77982FAFCB49)
        • 0XytwVHS3WE9jtGuuRid6GiP.exe (PID: 4476 cmdline: C:\Users\user\Pictures\0XytwVHS3WE9jtGuuRid6GiP.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x29c,0x2a0,0x2a4,0x278,0x2a8,0x6b0de1d0,0x6b0de1dc,0x6b0de1e8 MD5: CD54757EAFA70E59850F77982FAFCB49)
        • 0XytwVHS3WE9jtGuuRid6GiP.exe (PID: 2764 cmdline: "C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\0XytwVHS3WE9jtGuuRid6GiP.exe" --version MD5: CD54757EAFA70E59850F77982FAFCB49)
      • mm4Q31XfpYKjbn6ceSwXhER9.exe (PID: 1068 cmdline: "C:\Users\user\Pictures\mm4Q31XfpYKjbn6ceSwXhER9.exe" MD5: 3A4982B7D2352FB3089C01B9F33C25EB)
      • GGlApx2WKpOBsEMsKqplE6Uf.exe (PID: 5780 cmdline: "C:\Users\user\Pictures\GGlApx2WKpOBsEMsKqplE6Uf.exe" MD5: A25CDF843E60F609B970AC9414170A7A)
      • 1HakjlIwxygCinOPkQfhRxwL.exe (PID: 3852 cmdline: "C:\Users\user\Pictures\1HakjlIwxygCinOPkQfhRxwL.exe" MD5: 281F44C8C6F0CFBC293E1FDB8B3EE782)
      • F6G6Y5cEUOHQw9dTwu4nNoIO.exe (PID: 5472 cmdline: "C:\Users\user\Pictures\F6G6Y5cEUOHQw9dTwu4nNoIO.exe" MD5: 281F44C8C6F0CFBC293E1FDB8B3EE782)
      • kuRSiZPmKhbW1guMqYXCvrAu.exe (PID: 6404 cmdline: "C:\Users\user\Pictures\kuRSiZPmKhbW1guMqYXCvrAu.exe" --silent --allusers=0 MD5: B1D3A17EDD5DACC6B98BEC740C1B4A2F)
      • kBnX25PRDA3FRCf96qRj6qpV.exe (PID: 7052 cmdline: "C:\Users\user\Pictures\kBnX25PRDA3FRCf96qRj6qpV.exe" MD5: A25CDF843E60F609B970AC9414170A7A)
    • CasPol.exe (PID: 7540 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe" MD5: 914F728C04D3EDDD5FBA59420E74E56B)
    • WerFault.exe (PID: 7716 cmdline: C:\Windows\system32\WerFault.exe -u -p 7412 -s 1156 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • svchost.exe (PID: 7572 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • WerFault.exe (PID: 7668 cmdline: C:\Windows\system32\WerFault.exe -pss -s 208 -p 7412 -ip 7412 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • cmd.exe (PID: 7692 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5me5kJjaX6nSu3LrmZClhT87.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 7708 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • oE07FMGKijbqRxoSOEfcVNr4.exe (PID: 7856 cmdline: "C:\Users\user\AppData\Local\oE07FMGKijbqRxoSOEfcVNr4.exe" MD5: 281F44C8C6F0CFBC293E1FDB8B3EE782)
  • svchost.exe (PID: 5052 cmdline: C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 3104 cmdline: C:\Windows\System32\svchost.exe -k NetSvcs -p -s NcaSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 1308 cmdline: C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
GluptebaGlupteba is a trojan horse malware that is one of the top ten malware variants of 2021. After infecting a system, the Glupteba malware can be used to deliver additional malware, steal user authentication information, and enroll the infected system in a cryptomining botnet.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.glupteba
NameDescriptionAttributionBlogpost URLsLink
zgRATzgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\Documents\SimpleAdobe\iTHBJLcts9pEuoqVNgU3srbu.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
    C:\Users\user\Documents\SimpleAdobe\iTHBJLcts9pEuoqVNgU3srbu.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
      C:\Users\user\Documents\SimpleAdobe\iTHBJLcts9pEuoqVNgU3srbu.exeMALWARE_Win_zgRATDetects zgRATditekSHen
      • 0xcb387:$s1: file:///
      • 0xcb297:$s2: {11111-22222-10009-11112}
      • 0xcb317:$s3: {11111-22222-50001-00000}
      • 0xc9fdb:$s4: get_Module
      • 0x41c0ea:$s4: get_Module
      • 0xc2f8e:$s5: Reverse
      • 0x41abeb:$s5: Reverse
      • 0x41ad57:$s6: BlockCopy
      • 0xc0864:$s7: ReadByte
      • 0x40f9a2:$s7: ReadByte
      • 0xcb399:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
      C:\Users\user\AppData\Local\Temp\u224.1.exeJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
        C:\Users\user\AppData\Local\Temp\u63s.1.exeJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          00000008.00000002.3336518839.0000000002F1E000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
          • 0x1760:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
          0000000F.00000002.3368165895.0000000002ED0000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Smokeloader_3687686funknownunknown
          • 0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
          00000017.00000002.3372271879.0000000002E60000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Smokeloader_3687686funknownunknown
          • 0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
          00000011.00000002.3312662666.0000000000843000.00000040.00000001.01000000.0000000F.sdmpJoeSecurity_GluptebaYara detected GluptebaJoe Security
            0000000F.00000002.3375966593.0000000002FAE000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
            • 0x1588:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
            Click to see the 12 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            3.2.CasPol.exe.400000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
              0.2.SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exe.1e7b7d49938.2.raw.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                24.2.Vh2fqCjm9jPtwuJrcfbbwxLj.exe.400000.6.unpackJoeSecurity_GluptebaYara detected GluptebaJoe Security
                  0.2.SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exe.1e7b7d46ef8.1.raw.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                    17.2.Yz2gr4IqEnTCH1g642bo4hrO.exe.400000.5.unpackJoeSecurity_GluptebaYara detected GluptebaJoe Security
                      Click to see the 1 entries

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exe" -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exe" -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exe, ParentProcessId: 7412, ParentProcessName: SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exe" -Force, ProcessId: 7484, ProcessName: powershell.exe
                      Sigma detected: Powershell Defender Exclusion
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exe" -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exe" -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exe, ParentProcessId: 7412, ParentProcessName: SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exe" -Force, ProcessId: 7484, ProcessName: powershell.exe
                      Sigma detected: Windows Defender Exclusions Added - Registry
                      Source: Registry Key setAuthor: Christian Burkard (Nextron Systems): Data: Details: 1, EventID: 13, EventType: SetValue, Image: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exe, ProcessId: 8124, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{C2D6C799-1878-4A10-AE0B-BB0304219A47}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Exclusions_Extensions
                      Sigma detected: Non Interactive PowerShell Process Spawned
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exe" -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exe" -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exe, ParentProcessId: 7412, ParentProcessName: SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exe" -Force, ProcessId: 7484, ProcessName: powershell.exe
                      Sigma detected: Windows Processes Suspicious Parent Directory
                      Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k WerSvcGroup, CommandLine: C:\Windows\System32\svchost.exe -k WerSvcGroup, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k WerSvcGroup, ProcessId: 7572, ProcessName: svchost.exe

                      Data Obfuscation

                      barindex
                      Sigma detected: Drops script at startup location
                      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe, ProcessId: 7520, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VgsxHcqWGMZuJZrJUV5SLHQ3.bat

                      Snort Signatures

                      No Snort rule has matched

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Antivirus detection for dropped file
                      Source: C:\Users\user\AppData\Local\Ckxihb2NQynZLzb7wQqDjQv3.exeAvira: detection malicious, Label: HEUR/AGEN.1310450
                      Source: C:\Users\user\AppData\Local\D0v59fae1RRLyzPSbsQoGGZK.exeAvira: detection malicious, Label: TR/Crypt.EPACK.Gen2
                      Source: C:\Users\user\AppData\Local\A6zIGniAZ7NEfPoGNA99xdJC.exeAvira: detection malicious, Label: TR/Crypt.EPACK.Gen2
                      Source: C:\Users\user\AppData\Local\KZrOTs6FcYbq3nj2hpYsaJil.exeAvira: detection malicious, Label: TR/Crypt.EPACK.Gen2
                      Source: C:\Users\user\AppData\Local\1sULHHpeqbgWxmRBkrwHQ2Wq.exeAvira: detection malicious, Label: TR/Crypt.EPACK.Gen2
                      Source: C:\Users\user\AppData\Local\7GonYrcCQJRZWxpQLYX649aX.exeAvira: detection malicious, Label: TR/Crypt.EPACK.Gen2
                      Source: C:\Users\user\AppData\Local\5CSwXytovRGWzicTtxKeyiOA.exeAvira: detection malicious, Label: TR/Crypt.EPACK.Gen2
                      Source: C:\Users\user\AppData\Local\7cokQoA6j0WDpV84Xp72tQca.exeAvira: detection malicious, Label: TR/Crypt.EPACK.Gen2
                      Source: C:\Users\user\AppData\Local\AO0lQiXja0SJ1xVYKQpJ0RgU.exeAvira: detection malicious, Label: TR/Crypt.EPACK.Gen2
                      Source: C:\Users\user\AppData\Local\4eN6JMBulbZWTUqm8bHwZ2Cg.exeAvira: detection malicious, Label: TR/Crypt.EPACK.Gen2
                      Multi AV Scanner detection for dropped file
                      Source: C:\Users\user\AppData\Local\1sULHHpeqbgWxmRBkrwHQ2Wq.exeVirustotal: Detection: 42%Perma Link
                      Source: C:\Users\user\AppData\Local\4eN6JMBulbZWTUqm8bHwZ2Cg.exeVirustotal: Detection: 42%Perma Link
                      Source: C:\Users\user\AppData\Local\5CSwXytovRGWzicTtxKeyiOA.exeVirustotal: Detection: 42%Perma Link
                      Source: C:\Users\user\AppData\Local\7GonYrcCQJRZWxpQLYX649aX.exeVirustotal: Detection: 42%Perma Link
                      Source: C:\Users\user\AppData\Local\7cokQoA6j0WDpV84Xp72tQca.exeVirustotal: Detection: 42%Perma Link
                      Source: C:\Users\user\AppData\Local\A6zIGniAZ7NEfPoGNA99xdJC.exeVirustotal: Detection: 42%Perma Link
                      Source: C:\Users\user\AppData\Local\AO0lQiXja0SJ1xVYKQpJ0RgU.exeVirustotal: Detection: 42%Perma Link
                      Source: C:\Users\user\AppData\Local\Ckxihb2NQynZLzb7wQqDjQv3.exeVirustotal: Detection: 44%Perma Link
                      Source: C:\Users\user\AppData\Local\D0v59fae1RRLyzPSbsQoGGZK.exeVirustotal: Detection: 42%Perma Link
                      Source: C:\Users\user\AppData\Local\GNcg3yiDrmzw07ZdoxfNbs1v.exeReversingLabs: Detection: 60%
                      Source: C:\Users\user\AppData\Local\GNcg3yiDrmzw07ZdoxfNbs1v.exeVirustotal: Detection: 52%Perma Link
                      Source: C:\Users\user\AppData\Local\KZrOTs6FcYbq3nj2hpYsaJil.exeVirustotal: Detection: 42%Perma Link
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\inte[1].exeVirustotal: Detection: 47%Perma Link
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\timeSync[1].exeReversingLabs: Detection: 42%
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\timeSync[1].exeVirustotal: Detection: 47%Perma Link
                      Multi AV Scanner detection for submitted file
                      Source: SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeReversingLabs: Detection: 23%
                      Source: SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeVirustotal: Detection: 21%Perma Link
                      Yara detected Glupteba
                      Source: Yara matchFile source: 24.2.Vh2fqCjm9jPtwuJrcfbbwxLj.exe.400000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.Yz2gr4IqEnTCH1g642bo4hrO.exe.400000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.JIsbjewlnghreiCB15kllzTk.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000011.00000002.3312662666.0000000000843000.00000040.00000001.01000000.0000000F.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.3312022979.0000000000843000.00000040.00000001.01000000.00000008.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000002.3312827601.0000000000843000.00000040.00000001.01000000.00000015.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: JIsbjewlnghreiCB15kllzTk.exe PID: 7992, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Yz2gr4IqEnTCH1g642bo4hrO.exe PID: 7016, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Vh2fqCjm9jPtwuJrcfbbwxLj.exe PID: 7660, type: MEMORYSTR
                      Machine Learning detection for dropped file
                      Source: C:\Users\user\AppData\Local\Ckxihb2NQynZLzb7wQqDjQv3.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\timeSync[1].exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\setup294[1].exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\inte[1].exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\D0v59fae1RRLyzPSbsQoGGZK.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\A6zIGniAZ7NEfPoGNA99xdJC.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\KZrOTs6FcYbq3nj2hpYsaJil.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\1sULHHpeqbgWxmRBkrwHQ2Wq.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\7GonYrcCQJRZWxpQLYX649aX.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\5CSwXytovRGWzicTtxKeyiOA.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\7cokQoA6j0WDpV84Xp72tQca.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\AO0lQiXja0SJ1xVYKQpJ0RgU.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\4eN6JMBulbZWTUqm8bHwZ2Cg.exeJoe Sandbox ML: detected

                      Exploits

                      barindex
                      Yara detected UAC Bypass using CMSTP
                      Source: Yara matchFile source: 00000000.00000002.2411331877.000001E7B80B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exe PID: 7412, type: MEMORYSTR

                      Bitcoin Miner

                      barindex
                      Yara detected Glupteba
                      Source: Yara matchFile source: 24.2.Vh2fqCjm9jPtwuJrcfbbwxLj.exe.400000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.Yz2gr4IqEnTCH1g642bo4hrO.exe.400000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.JIsbjewlnghreiCB15kllzTk.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000011.00000002.3312662666.0000000000843000.00000040.00000001.01000000.0000000F.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.3312022979.0000000000843000.00000040.00000001.01000000.00000008.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000002.3312827601.0000000000843000.00000040.00000001.01000000.00000015.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: JIsbjewlnghreiCB15kllzTk.exe PID: 7992, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Yz2gr4IqEnTCH1g642bo4hrO.exe PID: 7016, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Vh2fqCjm9jPtwuJrcfbbwxLj.exe PID: 7660, type: MEMORYSTR

                      Compliance

                      barindex
                      Detected unpacking (overwrites its own PE header)
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeUnpacked PE file: 8.2.JPl4ZLOvy3fY5RSXGk5s9Gl5.exe.400000.0.unpack
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeUnpacked PE file: 15.2.XEAazEoSTmJSOa66cXm6S07v.exe.400000.0.unpack
                      Source: C:\Users\user\Pictures\SU1be6oqYDorLkUc1l6IPPFB.exeUnpacked PE file: 23.2.SU1be6oqYDorLkUc1l6IPPFB.exe.400000.0.unpack
                      Source: C:\Users\user\Pictures\T2RIU3FpH6dczIGTG32vuvvE.exeFile created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer\opera_installer_20240418023618399.log
                      Source: C:\Users\user\Pictures\syLcQZGPHHUJ3M0wbg0XxQZf.exeFile created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer\opera_installer_20240418023635601.log
                      Source: C:\Users\user\Pictures\0XytwVHS3WE9jtGuuRid6GiP.exeFile created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer\opera_installer_20240418023630151.log
                      Source: C:\Users\user\Pictures\kuRSiZPmKhbW1guMqYXCvrAu.exeFile created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer\opera_installer_20240418023639593.log
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeFile opened: C:\Windows\SysWOW64\msvcr100.dll
                      Source: SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: Binary string: wextract.pdb source: CasPol.exe, 00000003.00000002.3402975175.00000000034A1000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000002.3402975175.00000000034E0000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000002.3402975175.000000000350B000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: C:\rif.pdb source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2160641727.000001C316201000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2137960546.000001C315FF2000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2135746383.000001C315F94000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2138485669.000001C316026000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2137960546.000001C31601A000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: Age does not matchThe module age and .pdb age do not match. source: JIsbjewlnghreiCB15kllzTk.exe, 0000000A.00000002.3312022979.0000000000ACD000.00000040.00000001.01000000.00000008.sdmp, Yz2gr4IqEnTCH1g642bo4hrO.exe, 00000011.00000002.3312662666.0000000000ACD000.00000040.00000001.01000000.0000000F.sdmp, Vh2fqCjm9jPtwuJrcfbbwxLj.exe, 00000018.00000002.3312827601.0000000000ACD000.00000040.00000001.01000000.00000015.sdmp
                      Source: Binary string: PDB not foundUnable to locate the .pdb file in any of the symbol search path locations. source: JIsbjewlnghreiCB15kllzTk.exe, 0000000A.00000002.3312022979.0000000000ACD000.00000040.00000001.01000000.00000008.sdmp, Yz2gr4IqEnTCH1g642bo4hrO.exe, 00000011.00000002.3312662666.0000000000ACD000.00000040.00000001.01000000.0000000F.sdmp, Vh2fqCjm9jPtwuJrcfbbwxLj.exe, 00000018.00000002.3312827601.0000000000ACD000.00000040.00000001.01000000.00000015.sdmp
                      Source: Binary string: c:\srv\slave\workdir\repos\opera\chromium\src\out\Release\installer_lib.dll.pdb source: T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000C.00000002.3392234781.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000E.00000000.1726890164.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000E.00000002.3399654118.000000006BA33000.00000002.00000001.01000000.0000001D.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000002.3407084581.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000001.1826449150.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000002.3322264502.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000001.2105606585.00000000000CA000.00000002.00000001.01000000.00000012.sdmp
                      Source: Binary string: "C:\bazut.pdb source: JPl4ZLOvy3fY5RSXGk5s9Gl5.exe, 00000008.00000002.3336654338.0000000002F57000.00000004.00000020.00020000.00000000.sdmp, JPl4ZLOvy3fY5RSXGk5s9Gl5.exe, 00000008.00000000.1671086635.000000000041A000.00000002.00000001.01000000.00000007.sdmp, XEAazEoSTmJSOa66cXm6S07v.exe, 0000000F.00000002.3379557412.0000000002FE7000.00000004.00000020.00020000.00000000.sdmp, XEAazEoSTmJSOa66cXm6S07v.exe, 0000000F.00000000.1745083887.000000000041A000.00000002.00000001.01000000.0000000D.sdmp, SU1be6oqYDorLkUc1l6IPPFB.exe, 00000017.00000002.3389956114.0000000002FB7000.00000004.00000020.00020000.00000000.sdmp, SU1be6oqYDorLkUc1l6IPPFB.exe, 00000017.00000000.1842263103.000000000041A000.00000002.00000001.01000000.00000014.sdmp
                      Source: Binary string: c:\Users\Admin\documents\visual studio 2015\Projects\Winmon\Release\Winmon.pdb source: JIsbjewlnghreiCB15kllzTk.exe, 0000000A.00000002.3312022979.0000000000843000.00000040.00000001.01000000.00000008.sdmp, Yz2gr4IqEnTCH1g642bo4hrO.exe, 00000011.00000002.3312662666.0000000000843000.00000040.00000001.01000000.0000000F.sdmp
                      Source: Binary string: wextract.pdbH source: CasPol.exe, 00000003.00000002.3402975175.00000000034A1000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000002.3402975175.00000000034E0000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000002.3402975175.000000000350B000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: C:\fidizinuhufi\zicavudojel-cugusanek_gaz.pdb source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2135649699.000001C316201000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: C:\bazut.pdb source: JPl4ZLOvy3fY5RSXGk5s9Gl5.exe, 00000008.00000002.3336654338.0000000002F57000.00000004.00000020.00020000.00000000.sdmp, JPl4ZLOvy3fY5RSXGk5s9Gl5.exe, 00000008.00000000.1671086635.000000000041A000.00000002.00000001.01000000.00000007.sdmp, XEAazEoSTmJSOa66cXm6S07v.exe, 0000000F.00000002.3379557412.0000000002FE7000.00000004.00000020.00020000.00000000.sdmp, XEAazEoSTmJSOa66cXm6S07v.exe, 0000000F.00000000.1745083887.000000000041A000.00000002.00000001.01000000.0000000D.sdmp, SU1be6oqYDorLkUc1l6IPPFB.exe, 00000017.00000002.3389956114.0000000002FB7000.00000004.00000020.00020000.00000000.sdmp, SU1be6oqYDorLkUc1l6IPPFB.exe, 00000017.00000000.1842263103.000000000041A000.00000002.00000001.01000000.00000014.sdmp
                      Source: Binary string: C:\batexozecode 78_gu.pdb source: JIsbjewlnghreiCB15kllzTk.exe, 0000000A.00000000.1682392909.000000000041A000.00000002.00000001.01000000.00000008.sdmp, 7ifrWkUACu1QmnINWqs0eu9h.exe, 0000000B.00000000.1683701177.000000000041A000.00000002.00000001.01000000.00000009.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2188271107.000001C3168EC000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2183852313.000001C31675A000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2171495094.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2187695382.000001C316201000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2175070782.000001C316228000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2201691097.000001C317103000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2177725105.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2204051794.000001C31699F000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2184196785.000001C316271000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2182555067.000001C316622000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2188586155.000001C316738000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2186821319.000001C316273000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2188931136.000001C316B3E000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2189325898.000001C316EB0000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2191286929.000001C316624000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2177566461.000001C316273000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2188346464.000001C316626000.00000004.00000020.00020000.00000000.sdmp, QHuPF3k4no0JL9DdGqDYtkCG.exe, 00000010.00000000.1751272697.000000000041A000.00000002.00000001.01000000.0000000E.sdmp, QHuPF3k4no0JL9DdGqDYtkCG.exe, 00000010.00000002.3350968416.000000000041A000.00000002.00000001.01000000.0000000E.sdmp, Yz2gr4IqEnTCH1g642bo4hrO.exe, 00000011.00000000.1762856940.000000000041A000.00000002.00000001.01000000.0000000F.sdmp, Vh2fqCjm9jPtwuJrcfbbwxLj.exe, 00000018.00000000.1856174156.000000000041A000.00000002.00000001.01000000.00000015.sdmp, PqdYh9kiVSkf3FjC9RDfcS2e.exe, 0000001B.00000002.3326421294.000000000041A000.00000002.00000001.01000000.00000016.sdmp, F6G6Y5cEUOHQw9dTwu4nNoIO.exe, 00000028.00000000.1982328768.000000000041A000.00000002.00000001.01000000.00000020.sdmp
                      Source: Binary string: Error while loading symbolsUnable to locate the .pdb file in any of the symbol search source: JIsbjewlnghreiCB15kllzTk.exe, 0000000A.00000002.3312022979.0000000000ACD000.00000040.00000001.01000000.00000008.sdmp, Yz2gr4IqEnTCH1g642bo4hrO.exe, 00000011.00000002.3312662666.0000000000ACD000.00000040.00000001.01000000.0000000F.sdmp, Vh2fqCjm9jPtwuJrcfbbwxLj.exe, 00000018.00000002.3312827601.0000000000ACD000.00000040.00000001.01000000.00000015.sdmp
                      Source: Binary string: C:\Users\weckb\source\repos\Extension Installer\Extension Installer\obj\x64\Release\Extension Installer.pdb source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2182563385.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2180544126.000001C315F4E000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: C:\Users\Admin\documents\visual studio 2015\Projects\WinmonFS\x64\Release\WinmonFS.pdb source: JIsbjewlnghreiCB15kllzTk.exe, 0000000A.00000002.3312022979.0000000000843000.00000040.00000001.01000000.00000008.sdmp, Yz2gr4IqEnTCH1g642bo4hrO.exe, 00000011.00000002.3312662666.0000000000843000.00000040.00000001.01000000.0000000F.sdmp
                      Source: Binary string: C:\Users\Admin\documents\visual studio 2015\Projects\WinmonFS\Release\WinmonFS.pdb source: JIsbjewlnghreiCB15kllzTk.exe, 0000000A.00000002.3312022979.0000000000843000.00000040.00000001.01000000.00000008.sdmp, Yz2gr4IqEnTCH1g642bo4hrO.exe, 00000011.00000002.3312662666.0000000000843000.00000040.00000001.01000000.0000000F.sdmp
                      Source: Binary string: EfiGuardDxe.pdb source: JIsbjewlnghreiCB15kllzTk.exe, 0000000A.00000002.3312022979.0000000000ACD000.00000040.00000001.01000000.00000008.sdmp, Yz2gr4IqEnTCH1g642bo4hrO.exe, 00000011.00000002.3312662666.0000000000ACD000.00000040.00000001.01000000.0000000F.sdmp, Vh2fqCjm9jPtwuJrcfbbwxLj.exe, 00000018.00000002.3312827601.0000000000ACD000.00000040.00000001.01000000.00000015.sdmp
                      Source: Binary string: C:\Users\admin\source\repos\driver-process-monitor-master\x64\Release\WinmonProcessMonitor.pdb source: JIsbjewlnghreiCB15kllzTk.exe, 0000000A.00000002.3312022979.0000000000843000.00000040.00000001.01000000.00000008.sdmp, Yz2gr4IqEnTCH1g642bo4hrO.exe, 00000011.00000002.3312662666.0000000000843000.00000040.00000001.01000000.0000000F.sdmp
                      Source: Binary string: 2C:\batexozecode 78_gu.pdb source: JIsbjewlnghreiCB15kllzTk.exe, 0000000A.00000000.1682392909.000000000041A000.00000002.00000001.01000000.00000008.sdmp, 7ifrWkUACu1QmnINWqs0eu9h.exe, 0000000B.00000000.1683701177.000000000041A000.00000002.00000001.01000000.00000009.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2188271107.000001C3168EC000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2183852313.000001C31675A000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2171495094.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2187695382.000001C316201000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2175070782.000001C316228000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2201691097.000001C317103000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2177725105.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2204051794.000001C31699F000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2184196785.000001C316271000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2182555067.000001C316622000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2188586155.000001C316738000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2186821319.000001C316273000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2188931136.000001C316B3E000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2189325898.000001C316EB0000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2191286929.000001C316624000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2177566461.000001C316273000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2188346464.000001C316626000.00000004.00000020.00020000.00000000.sdmp, QHuPF3k4no0JL9DdGqDYtkCG.exe, 00000010.00000000.1751272697.000000000041A000.00000002.00000001.01000000.0000000E.sdmp, QHuPF3k4no0JL9DdGqDYtkCG.exe, 00000010.00000002.3350968416.000000000041A000.00000002.00000001.01000000.0000000E.sdmp, Yz2gr4IqEnTCH1g642bo4hrO.exe, 00000011.00000000.1762856940.000000000041A000.00000002.00000001.01000000.0000000F.sdmp, Vh2fqCjm9jPtwuJrcfbbwxLj.exe, 00000018.00000000.1856174156.000000000041A000.00000002.00000001.01000000.00000015.sdmp, PqdYh9kiVSkf3FjC9RDfcS2e.exe, 0000001B.00000002.3326421294.000000000041A000.00000002.00000001.01000000.00000016.sdmp, F6G6Y5cEUOHQw9dTwu4nNoIO.exe, 00000028.00000000.1982328768.000000000041A000.00000002.00000001.01000000.00000020.sdmp
                      Source: Binary string: Signature does not matchThe module signature does not match with .pdb signature source: JIsbjewlnghreiCB15kllzTk.exe, 0000000A.00000002.3312022979.0000000000ACD000.00000040.00000001.01000000.00000008.sdmp, Yz2gr4IqEnTCH1g642bo4hrO.exe, 00000011.00000002.3312662666.0000000000ACD000.00000040.00000001.01000000.0000000F.sdmp, Vh2fqCjm9jPtwuJrcfbbwxLj.exe, 00000018.00000002.3312827601.0000000000ACD000.00000040.00000001.01000000.00000015.sdmp
                      Source: Binary string: H,C:\rif.pdb source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2160641727.000001C316201000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2137960546.000001C315FF2000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2135746383.000001C315F94000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2138485669.000001C316026000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2137960546.000001C31601A000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: dbghelp.pdb source: JIsbjewlnghreiCB15kllzTk.exe, 0000000A.00000002.3312022979.0000000000ACD000.00000040.00000001.01000000.00000008.sdmp, Yz2gr4IqEnTCH1g642bo4hrO.exe, 00000011.00000002.3312662666.0000000000ACD000.00000040.00000001.01000000.0000000F.sdmp, Vh2fqCjm9jPtwuJrcfbbwxLj.exe, 00000018.00000002.3312827601.0000000000ACD000.00000040.00000001.01000000.00000015.sdmp
                      Source: Binary string: dbghelp.pdbGCTL source: JIsbjewlnghreiCB15kllzTk.exe, 0000000A.00000002.3312022979.0000000000ACD000.00000040.00000001.01000000.00000008.sdmp, Yz2gr4IqEnTCH1g642bo4hrO.exe, 00000011.00000002.3312662666.0000000000ACD000.00000040.00000001.01000000.0000000F.sdmp, Vh2fqCjm9jPtwuJrcfbbwxLj.exe, 00000018.00000002.3312827601.0000000000ACD000.00000040.00000001.01000000.00000015.sdmp
                      Source: Binary string: Loader.pdb source: JIsbjewlnghreiCB15kllzTk.exe, 0000000A.00000002.3312022979.0000000000843000.00000040.00000001.01000000.00000008.sdmp, Yz2gr4IqEnTCH1g642bo4hrO.exe, 00000011.00000002.3312662666.0000000000843000.00000040.00000001.01000000.0000000F.sdmp
                      Source: Binary string: EfiGuardDxe.pdb7 source: QHuPF3k4no0JL9DdGqDYtkCG.exe, 00000010.00000002.3380053915.0000000004D40000.00000040.00000020.00020000.00000000.sdmp
                      Source: Binary string: c:\srv\slave\workdir\repos\opera\chromium\src\out\Release\installer.exe.pdb source: T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000C.00000002.3388944185.0000000000FC7000.00000002.00000001.01000000.0000000A.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000C.00000000.1698025861.0000000000FC7000.00000002.00000001.01000000.0000000A.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000E.00000002.3351524981.0000000000FC7000.00000002.00000001.01000000.0000000A.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000E.00000000.1720567697.0000000000FC7000.00000002.00000001.01000000.0000000A.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000000.1821750116.00000000000B7000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000002.3404841613.00000000000B7000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000000.1855030242.00000000000B7000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000002.3322123823.00000000000B7000.00000002.00000001.01000000.00000012.sdmp
                      Source: Binary string: Unrecognized pdb formatThis error indicates attempting to access a .pdb file with source: JIsbjewlnghreiCB15kllzTk.exe, 0000000A.00000002.3312022979.0000000000ACD000.00000040.00000001.01000000.00000008.sdmp, Yz2gr4IqEnTCH1g642bo4hrO.exe, 00000011.00000002.3312662666.0000000000ACD000.00000040.00000001.01000000.0000000F.sdmp, Vh2fqCjm9jPtwuJrcfbbwxLj.exe, 00000018.00000002.3312827601.0000000000ACD000.00000040.00000001.01000000.00000015.sdmp
                      Source: Binary string: A connection with the server could not be establishedAn extended error was returned from the WinHttp serverThe .pdb file is probably no longer indexed in the symbol server share location. source: JIsbjewlnghreiCB15kllzTk.exe, 0000000A.00000002.3312022979.0000000000ACD000.00000040.00000001.01000000.00000008.sdmp, Yz2gr4IqEnTCH1g642bo4hrO.exe, 00000011.00000002.3312662666.0000000000ACD000.00000040.00000001.01000000.0000000F.sdmp, Vh2fqCjm9jPtwuJrcfbbwxLj.exe, 00000018.00000002.3312827601.0000000000ACD000.00000040.00000001.01000000.00000015.sdmp
                      Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxzip32\Release\sfxzip.pdb source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2137349849.000001C316273000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2137178358.000001C316026000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2135746383.000001C315F94000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2135746383.000001C31601A000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2137349849.000001C316201000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2137687774.000001C316273000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: Cvinfo is corruptThe .pdb file contains a corrupted debug codeview information. source: JIsbjewlnghreiCB15kllzTk.exe, 0000000A.00000002.3312022979.0000000000ACD000.00000040.00000001.01000000.00000008.sdmp, Yz2gr4IqEnTCH1g642bo4hrO.exe, 00000011.00000002.3312662666.0000000000ACD000.00000040.00000001.01000000.0000000F.sdmp, Vh2fqCjm9jPtwuJrcfbbwxLj.exe, 00000018.00000002.3312827601.0000000000ACD000.00000040.00000001.01000000.00000015.sdmp
                      Source: Binary string: Downloading symbols for [%s] %ssrv*symsrv*http://https://_bad_pdb_file.pdb source: JIsbjewlnghreiCB15kllzTk.exe, 0000000A.00000002.3312022979.0000000000ACD000.00000040.00000001.01000000.00000008.sdmp, Yz2gr4IqEnTCH1g642bo4hrO.exe, 00000011.00000002.3312662666.0000000000ACD000.00000040.00000001.01000000.0000000F.sdmp, Vh2fqCjm9jPtwuJrcfbbwxLj.exe, 00000018.00000002.3312827601.0000000000ACD000.00000040.00000001.01000000.00000015.sdmp
                      Source: Binary string: The symbol server has never indexed any version of this symbol fileNo version of the .pdb file with the given name has ever been registered. source: JIsbjewlnghreiCB15kllzTk.exe, 0000000A.00000002.3312022979.0000000000ACD000.00000040.00000001.01000000.00000008.sdmp, Yz2gr4IqEnTCH1g642bo4hrO.exe, 00000011.00000002.3312662666.0000000000ACD000.00000040.00000001.01000000.0000000F.sdmp, Vh2fqCjm9jPtwuJrcfbbwxLj.exe, 00000018.00000002.3312827601.0000000000ACD000.00000040.00000001.01000000.00000015.sdmp
                      Source: Binary string: C:\sez\cekeber\cevevas.pdb source: JPl4ZLOvy3fY5RSXGk5s9Gl5.exe, 00000008.00000002.3342119410.0000000004A10000.00000004.00000020.00020000.00000000.sdmp, XEAazEoSTmJSOa66cXm6S07v.exe, 0000000F.00000002.3404845206.0000000004B20000.00000004.00000020.00020000.00000000.sdmp, SU1be6oqYDorLkUc1l6IPPFB.exe, 00000017.00000002.3408267639.0000000004B60000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: C:\xudiwojabogaji\pixev41 ru.pdb source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2180979215.000001C31606C000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2180871105.000001C316233000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2180696167.000001C31629B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2180696167.000001C316273000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2183857159.000001C3162BF000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: C:\vbox\branch\w64-1.6\out\win.amd64\release\obj\src\VBox\HostDrivers\VBoxDrv\VBoxDrv.pdb source: JIsbjewlnghreiCB15kllzTk.exe, 0000000A.00000002.3312022979.0000000000843000.00000040.00000001.01000000.00000008.sdmp, Yz2gr4IqEnTCH1g642bo4hrO.exe, 00000011.00000002.3312662666.0000000000843000.00000040.00000001.01000000.0000000F.sdmp
                      Source: Binary string: c:\Users\Admin\documents\visual studio 2015\Projects\Winmon\x64\Release\Winmon.pdb source: JIsbjewlnghreiCB15kllzTk.exe, 0000000A.00000002.3312022979.0000000000843000.00000040.00000001.01000000.00000008.sdmp, Yz2gr4IqEnTCH1g642bo4hrO.exe, 00000011.00000002.3312662666.0000000000843000.00000040.00000001.01000000.0000000F.sdmp
                      Source: Binary string: Drive not readyThis error indicates a .pdb file related failure. source: JIsbjewlnghreiCB15kllzTk.exe, 0000000A.00000002.3312022979.0000000000ACD000.00000040.00000001.01000000.00000008.sdmp, Yz2gr4IqEnTCH1g642bo4hrO.exe, 00000011.00000002.3312662666.0000000000ACD000.00000040.00000001.01000000.0000000F.sdmp, Vh2fqCjm9jPtwuJrcfbbwxLj.exe, 00000018.00000002.3312827601.0000000000ACD000.00000040.00000001.01000000.00000015.sdmp
                      Source: Binary string: zzz_AsmCodeRange_*FrameDatainvalid string positionstring too long.pdb source: JIsbjewlnghreiCB15kllzTk.exe, 0000000A.00000002.3312022979.0000000000ACD000.00000040.00000001.01000000.00000008.sdmp, Yz2gr4IqEnTCH1g642bo4hrO.exe, 00000011.00000002.3312662666.0000000000ACD000.00000040.00000001.01000000.0000000F.sdmp, Vh2fqCjm9jPtwuJrcfbbwxLj.exe, 00000018.00000002.3312827601.0000000000ACD000.00000040.00000001.01000000.00000015.sdmp
                      Source: Binary string: Pdb read access deniedYou may be attempting to access a .pdb file with read-only attributes source: JIsbjewlnghreiCB15kllzTk.exe, 0000000A.00000002.3312022979.0000000000ACD000.00000040.00000001.01000000.00000008.sdmp, Yz2gr4IqEnTCH1g642bo4hrO.exe, 00000011.00000002.3312662666.0000000000ACD000.00000040.00000001.01000000.0000000F.sdmp, Vh2fqCjm9jPtwuJrcfbbwxLj.exe, 00000018.00000002.3312827601.0000000000ACD000.00000040.00000001.01000000.00000015.sdmp
                      Source: Binary string: Unable to locate the .pdb file in this location source: JIsbjewlnghreiCB15kllzTk.exe, 0000000A.00000002.3312022979.0000000000ACD000.00000040.00000001.01000000.00000008.sdmp, Yz2gr4IqEnTCH1g642bo4hrO.exe, 00000011.00000002.3312662666.0000000000ACD000.00000040.00000001.01000000.0000000F.sdmp, Vh2fqCjm9jPtwuJrcfbbwxLj.exe, 00000018.00000002.3312827601.0000000000ACD000.00000040.00000001.01000000.00000015.sdmp
                      Source: Binary string: The module signature does not match with .pdb signature. source: JIsbjewlnghreiCB15kllzTk.exe, 0000000A.00000002.3312022979.0000000000ACD000.00000040.00000001.01000000.00000008.sdmp, Yz2gr4IqEnTCH1g642bo4hrO.exe, 00000011.00000002.3312662666.0000000000ACD000.00000040.00000001.01000000.0000000F.sdmp, Vh2fqCjm9jPtwuJrcfbbwxLj.exe, 00000018.00000002.3312827601.0000000000ACD000.00000040.00000001.01000000.00000015.sdmp
                      Source: Binary string: .pdb.dbg source: JIsbjewlnghreiCB15kllzTk.exe, 0000000A.00000002.3312022979.0000000000ACD000.00000040.00000001.01000000.00000008.sdmp, Yz2gr4IqEnTCH1g642bo4hrO.exe, 00000011.00000002.3312662666.0000000000ACD000.00000040.00000001.01000000.0000000F.sdmp, Vh2fqCjm9jPtwuJrcfbbwxLj.exe, 00000018.00000002.3312827601.0000000000ACD000.00000040.00000001.01000000.00000015.sdmp
                      Source: Binary string: '(EfiGuardDxe.pdbx source: JIsbjewlnghreiCB15kllzTk.exe, 0000000A.00000002.3312022979.0000000000ACD000.00000040.00000001.01000000.00000008.sdmp, Yz2gr4IqEnTCH1g642bo4hrO.exe, 00000011.00000002.3312662666.0000000000ACD000.00000040.00000001.01000000.0000000F.sdmp, Vh2fqCjm9jPtwuJrcfbbwxLj.exe, 00000018.00000002.3312827601.0000000000ACD000.00000040.00000001.01000000.00000015.sdmp
                      Source: Binary string: C:\Users\admin\source\repos\driver-process-monitor-master\Release\WinmonProcessMonitor.pdb source: JIsbjewlnghreiCB15kllzTk.exe, 0000000A.00000002.3312022979.0000000000843000.00000040.00000001.01000000.00000008.sdmp, Yz2gr4IqEnTCH1g642bo4hrO.exe, 00000011.00000002.3312662666.0000000000843000.00000040.00000001.01000000.0000000F.sdmp
                      Source: Binary string: C:\sez\cekeber\cevevas.pdb source: JPl4ZLOvy3fY5RSXGk5s9Gl5.exe, 00000008.00000002.3342119410.0000000004A10000.00000004.00000020.00020000.00000000.sdmp, XEAazEoSTmJSOa66cXm6S07v.exe, 0000000F.00000002.3404845206.0000000004B20000.00000004.00000020.00020000.00000000.sdmp, SU1be6oqYDorLkUc1l6IPPFB.exe, 00000017.00000002.3408267639.0000000004B60000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: BackgroundTransferHost.pdb source: wjaGPzkDQjpdcbjBR9AwSFKW.exe, 00000016.00000003.1995933643.0000000002043000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: or you do not have access permission to the .pdb location. source: JIsbjewlnghreiCB15kllzTk.exe, 0000000A.00000002.3312022979.0000000000ACD000.00000040.00000001.01000000.00000008.sdmp, Yz2gr4IqEnTCH1g642bo4hrO.exe, 00000011.00000002.3312662666.0000000000ACD000.00000040.00000001.01000000.0000000F.sdmp, Vh2fqCjm9jPtwuJrcfbbwxLj.exe, 00000018.00000002.3312827601.0000000000ACD000.00000040.00000001.01000000.00000015.sdmp
                      Source: Binary string: XC:\xudiwojabogaji\pixev41 ru.pdb source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2180979215.000001C31606C000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2180871105.000001C316233000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2180696167.000001C31629B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2180696167.000001C316273000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2183857159.000001C3162BF000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: BackgroundTransferHost.pdbGCTL source: wjaGPzkDQjpdcbjBR9AwSFKW.exe, 00000016.00000003.1995933643.0000000002043000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: An Exception happened while downloading the module .pdbPlease open a bug if this is a consistent repro. source: JIsbjewlnghreiCB15kllzTk.exe, 0000000A.00000002.3312022979.0000000000ACD000.00000040.00000001.01000000.00000008.sdmp, Yz2gr4IqEnTCH1g642bo4hrO.exe, 00000011.00000002.3312662666.0000000000ACD000.00000040.00000001.01000000.0000000F.sdmp, Vh2fqCjm9jPtwuJrcfbbwxLj.exe, 00000018.00000002.3312827601.0000000000ACD000.00000040.00000001.01000000.00000015.sdmp
                      Source: Binary string: GC:\fidizinuhufi\zicavudojel-cugusanek_gaz.pdb source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2135649699.000001C316201000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: AppVShNotify.pdb source: wjaGPzkDQjpdcbjBR9AwSFKW.exe, 00000016.00000003.1995933643.0000000002043000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: c:\srv\slave\workdir\repos\opera\chromium\src\out\Release\installer.exe.pdb@ source: T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000C.00000002.3388944185.0000000000FC7000.00000002.00000001.01000000.0000000A.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000C.00000000.1698025861.0000000000FC7000.00000002.00000001.01000000.0000000A.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000E.00000002.3351524981.0000000000FC7000.00000002.00000001.01000000.0000000A.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000E.00000000.1720567697.0000000000FC7000.00000002.00000001.01000000.0000000A.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000000.1821750116.00000000000B7000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000002.3404841613.00000000000B7000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000000.1855030242.00000000000B7000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000002.3322123823.00000000000B7000.00000002.00000001.01000000.00000012.sdmp
                      Source: Binary string: AppVShNotify.pdbGCTL source: wjaGPzkDQjpdcbjBR9AwSFKW.exe, 00000016.00000003.1995933643.0000000002043000.00000004.00000020.00020000.00000000.sdmp

                      Change of critical system settings

                      barindex
                      Adds extensions / path to Windows Defender exclusion list (Registry)
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeRegistry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{C2D6C799-1878-4A10-AE0B-BB0304219A47}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions Exclusions_Extensions
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeRegistry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{C2D6C799-1878-4A10-AE0B-BB0304219A47}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions exe
                      Source: C:\Users\user\Pictures\wjaGPzkDQjpdcbjBR9AwSFKW.exeCode function: 22_2_0040553A FindFirstFileA,22_2_0040553A
                      Source: C:\Users\user\Pictures\wjaGPzkDQjpdcbjBR9AwSFKW.exeCode function: 22_2_004055DE __EH_prolog,FindFirstFileW,AreFileApisANSI,FindFirstFileA,22_2_004055DE
                      Source: C:\Users\user\Pictures\wjaGPzkDQjpdcbjBR9AwSFKW.exeFile opened: C:\Users\user\AppData\Local\Temp\
                      Source: C:\Users\user\Pictures\wjaGPzkDQjpdcbjBR9AwSFKW.exeFile opened: C:\Users\user\AppData\Local\
                      Source: C:\Users\user\Pictures\wjaGPzkDQjpdcbjBR9AwSFKW.exeFile opened: C:\Users\user\AppData\Local\Temp\7zS2746.tmp\
                      Source: C:\Users\user\Pictures\wjaGPzkDQjpdcbjBR9AwSFKW.exeFile opened: C:\Users\user\AppData\Local\Temp\7zS2746.tmp\Install.exe
                      Source: C:\Users\user\Pictures\wjaGPzkDQjpdcbjBR9AwSFKW.exeFile opened: C:\Users\user\AppData\
                      Source: C:\Users\user\Pictures\wjaGPzkDQjpdcbjBR9AwSFKW.exeFile opened: C:\Users\user\

                      Networking

                      barindex
                      Creates HTML files with .exe extension (expired dropper behavior)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: EEmi2L6GuCPkhaixWFWgtXmC.exe.3.dr
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: mLelSKT2LDJXIBhhiZbtJLRy.exe.3.dr
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: dNJx8I5qbjWEp5UtzqYCiiad.exe.3.dr
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: lxJL7FOaOc6Tkk0XNttI4ctE.exe.3.dr
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: JsR15JaJDFzaXbSvvkMXKGOy.exe.3.dr
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: gRYJFiU6bkvQhx8faYvTd9ih.exe.3.dr
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: QI8XvF6duFZ0OdsmbJPQIRnh.exe.3.dr
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: VBK0acBbP8jSA9iTV62oCIGo.exe.3.dr
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: KWbVzicuAiSBYHryJZst17v9.exe.3.dr
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: bxrHv2BMlcULxp3nGjO9PIeE.exe.3.dr
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: Kocn1QGnt5lNON74XhjpO8L3.exe.3.dr
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: sZo8dt9VSX8cm31TuXOiptH3.exe.3.dr
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: jvm8OUFmYtzvgwR72YgLOVLo.exe.3.dr
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: c02zgoz7VFjrBiCTIiJdXKzh.exe.3.dr
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: YZSfYHwWFKrX6Pjkpe42m3a3.exe.3.dr
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: D1DNzbYhZ5irlEMiXjcU2a2e.exe.3.dr
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: YGTS10whU5xLzk2bVxVWnmYS.exe.3.dr
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: oQDwIFVWS8CDFis7e7hIkdVf.exe.3.dr
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: dTzJTeCvH5akGV8vPoopaG4c.exe.3.dr
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: OwiOgmO3oIyIM5MtwxyFTS2j.exe.3.dr
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: zU6BSyD8WoQsImtLem5lAF2x.exe.3.dr
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: 72ikwo0xN8m7DIEmg8FL68i9.exe.3.dr
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeFile created: q8kYHwm3PccnSPsq8WHAVhzd.exe.13.dr
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeFile created: t1TVh5wiN6nn0UU6UNFGbozD.exe.13.dr
                      Found Tor onion address
                      Source: JIsbjewlnghreiCB15kllzTk.exeString found in binary or memory: s25519: internal error: setShortBytes called with a long stringhttp2: Transport closing idle conn %p (forSingleUse=%v, maxStream=%v)http://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.oniontls: handshake message of length %d bytes exceeds maximum o
                      Source: JIsbjewlnghreiCB15kllzTk.exeString found in binary or memory: nvalid checksumheadTailIndex overflowheader field %q = %q%shide process ID %d: %whpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://localhost:3433/https://duniadekho.baridna: invalid label %qinappropriate fallbackint
                      Source: JIsbjewlnghreiCB15kllzTk.exe, 0000000A.00000002.3312022979.0000000000400000.00000040.00000001.01000000.00000008.sdmpString found in binary or memory: Nyiakeng_Puachue_HmongPakistan Standard TimeParaguay Standard TimeRoGetActivationFactoryRtlDeleteFunctionTableRtlGetNtVersionNumbersSafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSao Tome Standard TimeSeImpersonatePrivilegeSetupDiEnumDriverInfoWSetupDiGetClassDevsExWTasmania Standard TimeTor bootstrap progressTor service is runningUnsupported Media TypeWSAGetOverlappedResultWSALookupServiceBeginWWaitForMultipleObjectsWget/1.12 (freebsd8.1)Xenu Link Sleuth/1.3.8access-control-max-ageaddress already in useadvapi32.dll not foundargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbitcoin3nqy3db7c.onionbody closed by handlercannot allocate memoryclient not initializedcompileCallabck: type couldn't create devicecouldn't get file infocouldn't start servicecoulnd't write to filecreate main window: %wdecode and decrypt: %wdriver: bad connectionduplicated defer entryelectrum.leblancnet.uselectrum3.hodlister.coelectrum5.hodlister.coelectrumxhqdsmlu.onionencrypt and encode: %werror decoding messageerror parsing regexp: failed to get UUID: %wfailed to hide app: %wfailed to open key: %wfailed to open src: %wfailed to register: %wfailed to set UUID: %wframe_data_pad_too_bigfreeIndex is not validgenerate challenge: %wgetenv before env initgzip: invalid checksumheadTailIndex overflowheader field %q = %q%shide process ID %d: %whpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://localhost:3433/https://duniadekho.baridna: invalid label %qinappropriate fallbackinteger divide by zerointegrity check failedinterface conversion: internal inconsistencyinvalid Trailer key %qinvalid address familyinvalid number base %djson: unknown field %qkernel32.dll not foundmalformed HTTP versionminpc or maxpc invalidmissing ']' in addressmultiple :: in addressndndword5lpb7eex.onionnetwork is unreachableno connection providednon-Go function at pc=oldoverflow is not niloperation was canceledoverflowing coordinateozahtqwp25chjdjd.onionprotocol not availableprotocol not supportedqtornadoklbgdyww.onionread response body: %wreflect.Value.MapIndexreflect.Value.SetFloatreflectlite.Value.Elemreflectlite.Value.Typeremote address changedruntime.main not on m0runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemss7clinmo4cazmhul.onionscanstack - bad statussecure boot is enabledsend on closed channelserver.peers.subscribeservice does not existservice is not runningset Tor mode to %s: %wskipping Question Nameskipping Question Typespan has no free spacesql: no Rows availablestack not a power of 2status/bootstrap-phasetrace reader (blocked)trace: alloc too largetransaction is stoppedtransaction not existsunexpected length codeunexpected method stepwirep: invalid p statewrite on closed bufferx509: malformed issuerzero length BIT STRINGzlib: invalid checksum into Go value of type ) must be a power of 2
                      Source: Yz2gr4IqEnTCH1g642bo4hrO.exeString found in binary or memory: s25519: internal error: setShortBytes called with a long stringhttp2: Transport closing idle conn %p (forSingleUse=%v, maxStream=%v)http://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.oniontls: handshake message of length %d bytes exceeds maximum o
                      Source: Yz2gr4IqEnTCH1g642bo4hrO.exeString found in binary or memory: nvalid checksumheadTailIndex overflowheader field %q = %q%shide process ID %d: %whpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://localhost:3433/https://duniadekho.baridna: invalid label %qinappropriate fallbackint
                      Source: Yz2gr4IqEnTCH1g642bo4hrO.exe, 00000011.00000002.3312662666.0000000000400000.00000040.00000001.01000000.0000000F.sdmpString found in binary or memory: Nyiakeng_Puachue_HmongPakistan Standard TimeParaguay Standard TimeRoGetActivationFactoryRtlDeleteFunctionTableRtlGetNtVersionNumbersSafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSao Tome Standard TimeSeImpersonatePrivilegeSetupDiEnumDriverInfoWSetupDiGetClassDevsExWTasmania Standard TimeTor bootstrap progressTor service is runningUnsupported Media TypeWSAGetOverlappedResultWSALookupServiceBeginWWaitForMultipleObjectsWget/1.12 (freebsd8.1)Xenu Link Sleuth/1.3.8access-control-max-ageaddress already in useadvapi32.dll not foundargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbitcoin3nqy3db7c.onionbody closed by handlercannot allocate memoryclient not initializedcompileCallabck: type couldn't create devicecouldn't get file infocouldn't start servicecoulnd't write to filecreate main window: %wdecode and decrypt: %wdriver: bad connectionduplicated defer entryelectrum.leblancnet.uselectrum3.hodlister.coelectrum5.hodlister.coelectrumxhqdsmlu.onionencrypt and encode: %werror decoding messageerror parsing regexp: failed to get UUID: %wfailed to hide app: %wfailed to open key: %wfailed to open src: %wfailed to register: %wfailed to set UUID: %wframe_data_pad_too_bigfreeIndex is not validgenerate challenge: %wgetenv before env initgzip: invalid checksumheadTailIndex overflowheader field %q = %q%shide process ID %d: %whpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://localhost:3433/https://duniadekho.baridna: invalid label %qinappropriate fallbackinteger divide by zerointegrity check failedinterface conversion: internal inconsistencyinvalid Trailer key %qinvalid address familyinvalid number base %djson: unknown field %qkernel32.dll not foundmalformed HTTP versionminpc or maxpc invalidmissing ']' in addressmultiple :: in addressndndword5lpb7eex.onionnetwork is unreachableno connection providednon-Go function at pc=oldoverflow is not niloperation was canceledoverflowing coordinateozahtqwp25chjdjd.onionprotocol not availableprotocol not supportedqtornadoklbgdyww.onionread response body: %wreflect.Value.MapIndexreflect.Value.SetFloatreflectlite.Value.Elemreflectlite.Value.Typeremote address changedruntime.main not on m0runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemss7clinmo4cazmhul.onionscanstack - bad statussecure boot is enabledsend on closed channelserver.peers.subscribeservice does not existservice is not runningset Tor mode to %s: %wskipping Question Nameskipping Question Typespan has no free spacesql: no Rows availablestack not a power of 2status/bootstrap-phasetrace reader (blocked)trace: alloc too largetransaction is stoppedtransaction not existsunexpected length codeunexpected method stepwirep: invalid p statewrite on closed bufferx509: malformed issuerzero length BIT STRINGzlib: invalid checksum into Go value of type ) must be a power of 2
                      Yara detected Generic Downloader
                      Source: Yara matchFile source: 3.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exe.1e7b7d49938.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exe.1e7b7d46ef8.1.raw.unpack, type: UNPACKEDPE
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCode function: 8_2_004263E5 __EH_prolog,WSAStartup,socket,WSACleanup,gethostbyname,htons,connect,send,send,recv,recv,recv,recv,recv,WSACleanup,closesocket,8_2_004263E5
                      Source: syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000001.2105606585.00000000000CA000.00000002.00000001.01000000.00000012.sdmpString found in binary or memory: c. Facebook Messenger: A messaging service provided by Facebook, Inc., Meta Platforms Ireland Ltd. or related companies, depending on where you are accessing their services. Terms of use are available at https://www.facebook.com/legal/terms; and equals www.facebook.com (Facebook)
                      Source: JIsbjewlnghreiCB15kllzTk.exe, Yz2gr4IqEnTCH1g642bo4hrO.exeString found in binary or memory: OS X; U; en) Presto/2.6.30 Version/10.61facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)tls: internal error: handshake returned an error but is marked successfultls: received unexpected handshake message of type %T when waiting for %T equals www.facebook.com (Facebook)
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2229181999.000001C315EA2000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2218205829.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2220046203.000001C315EA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Content-Security-Policy: default-src * data: blob: about: vkcalls:;script-src 'self' https://vk.com https://*.vk.com https://vk.ru https://*.vk.ru https://static.vk.me https://*.mail.ru https://r.mradx.net https://s.ytimg.com https://platform.twitter.com https://cdn.syndication.twimg.com https://www.instagram.com https://connect.facebook.net https://telegram.org https://*.yandex.ru https://*.google-analytics.com https://*.youtube.com https://maps.googleapis.com https://translate.googleapis.com https://*.google.com https://google.com https://*.vkpartner.ru https://*.moatads.com https://*.adlooxtracking.ru https://*.serving-sys.ru https://*.weborama-tech.ru https://*.gstatic.com https://*.google.ru https://securepubads.g.doubleclick.net https://cdn.ampproject.org https://www.googletagmanager.com https://googletagmanager.com https://*.vk-cdn.net https://*.hit.gemius.pl https://yastatic.net https://analytics.tiktok.com 'unsafe-inline' 'unsafe-eval' blob:;style-src https://vk.com https://*.vk.com https://vk.ru https://*.vk.ru https://static.vk.me https://r.mradx.net https://ton.twimg.com https://tagmanager.google.com https://platform.twitter.com https://*.googleapis.com 'self' 'unsafe-inline' equals www.facebook.com (Facebook)
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2197888344.000001C315F71000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Content-Security-Policy: default-src * data: blob: about: vkcalls:;script-src 'self' https://vk.com https://*.vk.com https://vk.ru https://*.vk.ru https://static.vk.me https://*.mail.ru https://r.mradx.net https://s.ytimg.com https://platform.twitter.com https://cdn.syndication.twimg.com https://www.instagram.com https://connect.facebook.net https://telegram.org https://*.yandex.ru https://*.google-analytics.com https://*.youtube.com https://maps.googleapis.com https://translate.googleapis.com https://*.google.com https://google.com https://*.vkpartner.ru https://*.moatads.com https://*.adlooxtracking.ru https://*.serving-sys.ru https://*.weborama-tech.ru https://*.gstatic.com https://*.google.ru https://securepubads.g.doubleclick.net https://cdn.ampproject.org https://www.googletagmanager.com https://googletagmanager.com https://*.vk-cdn.net https://*.hit.gemius.pl https://yastatic.net https://analytics.tiktok.com 'unsafe-inline' 'unsafe-eval' blob:;style-src https://vk.com https://*.vk.com https://vk.ru https://*.vk.ru https://static.vk.me https://r.mradx.net https://ton.twimg.com https://tagmanager.google.com https://platform.twitter.com https://*.googleapis.com 'self' 'unsafe-inline' equals www.twitter.com (Twitter)
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2229181999.000001C315EA2000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2218205829.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2220046203.000001C315EA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Content-Security-Policy: default-src * data: blob: about: vkcalls:;script-src 'self' https://vk.com https://*.vk.com https://vk.ru https://*.vk.ru https://static.vk.me https://*.mail.ru https://r.mradx.net https://s.ytimg.com https://platform.twitter.com https://cdn.syndication.twimg.com https://www.instagram.com https://connect.facebook.net https://telegram.org https://*.yandex.ru https://*.google-analytics.com https://*.youtube.com https://maps.googleapis.com https://translate.googleapis.com https://*.google.com https://google.com https://*.vkpartner.ru https://*.moatads.com https://*.adlooxtracking.ru https://*.serving-sys.ru https://*.weborama-tech.ru https://*.gstatic.com https://*.google.ru https://securepubads.g.doubleclick.net https://cdn.ampproject.org https://www.googletagmanager.com https://googletagmanager.com https://*.vk-cdn.net https://*.hit.gemius.pl https://yastatic.net https://analytics.tiktok.com 'unsafe-inline' 'unsafe-eval' blob:;style-src https://vk.com https://*.vk.com https://vk.ru https://*.vk.ru https://static.vk.me https://r.mradx.net https://ton.twimg.com https://tagmanager.google.com https://platform.twitter.com https://*.googleapis.com 'self' 'unsafe-inline' equals www.youtube.com (Youtube)
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2240596988.000001C315E8B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2198735771.000001C315E6B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2229181999.000001C315E89000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Content-Security-Policydefault-src * data: blob: about: vkcalls:;script-src 'self' https://vk.com https://*.vk.com https://vk.ru https://*.vk.ru https://static.vk.me https://*.mail.ru https://r.mradx.net https://s.ytimg.com https://platform.twitter.com https://cdn.syndication.twimg.com https://www.instagram.com https://connect.facebook.net https://telegram.org https://*.yandex.ru https://*.google-analytics.com https://*.youtube.com https://maps.googleapis.com https://translate.googleapis.com https://*.google.com https://google.com https://*.vkpartner.ru https://*.moatads.com https://*.adlooxtracking.ru https://*.serving-sys.ru https://*.weborama-tech.ru https://*.gstatic.com https://*.google.ru https://securepubads.g.doubleclick.net https://cdn.ampproject.org https://www.googletagmanager.com https://googletagmanager.com https://*.vk-cdn.net https://*.hit.gemius.pl https://yastatic.net https://analytics.tiktok.com 'unsafe-inline' 'unsafe-eval' blob:;style-src https://vk.com https://*.vk.com https://vk.ru https://*.vk.ru https://static.vk.me https://r.mradx.net https://ton.twimg.com https://tagmanager.google.com https://platform.twitter.com https://*.googleapis.com 'self' 'unsafe-inline' equals www.facebook.com (Facebook)
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2229181999.000001C315E89000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Content-Security-Policydefault-src * data: blob: about: vkcalls:;script-src 'self' https://vk.com https://*.vk.com https://vk.ru https://*.vk.ru https://static.vk.me https://*.mail.ru https://r.mradx.net https://s.ytimg.com https://platform.twitter.com https://cdn.syndication.twimg.com https://www.instagram.com https://connect.facebook.net https://telegram.org https://*.yandex.ru https://*.google-analytics.com https://*.youtube.com https://maps.googleapis.com https://translate.googleapis.com https://*.google.com https://google.com https://*.vkpartner.ru https://*.moatads.com https://*.adlooxtracking.ru https://*.serving-sys.ru https://*.weborama-tech.ru https://*.gstatic.com https://*.google.ru https://securepubads.g.doubleclick.net https://cdn.ampproject.org https://www.googletagmanager.com https://googletagmanager.com https://*.vk-cdn.net https://*.hit.gemius.pl https://yastatic.net https://analytics.tiktok.com 'unsafe-inline' 'unsafe-eval' blob:;style-src https://vk.com https://*.vk.com https://vk.ru https://*.vk.ru https://static.vk.me https://r.mradx.net https://ton.twimg.com https://tagmanager.google.com https://platform.twitter.com https://*.googleapis.com 'self' 'unsafe-inline' equals www.twitter.com (Twitter)
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2240596988.000001C315E8B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2198735771.000001C315E6B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2229181999.000001C315E89000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Content-Security-Policydefault-src * data: blob: about: vkcalls:;script-src 'self' https://vk.com https://*.vk.com https://vk.ru https://*.vk.ru https://static.vk.me https://*.mail.ru https://r.mradx.net https://s.ytimg.com https://platform.twitter.com https://cdn.syndication.twimg.com https://www.instagram.com https://connect.facebook.net https://telegram.org https://*.yandex.ru https://*.google-analytics.com https://*.youtube.com https://maps.googleapis.com https://translate.googleapis.com https://*.google.com https://google.com https://*.vkpartner.ru https://*.moatads.com https://*.adlooxtracking.ru https://*.serving-sys.ru https://*.weborama-tech.ru https://*.gstatic.com https://*.google.ru https://securepubads.g.doubleclick.net https://cdn.ampproject.org https://www.googletagmanager.com https://googletagmanager.com https://*.vk-cdn.net https://*.hit.gemius.pl https://yastatic.net https://analytics.tiktok.com 'unsafe-inline' 'unsafe-eval' blob:;style-src https://vk.com https://*.vk.com https://vk.ru https://*.vk.ru https://static.vk.me https://r.mradx.net https://ton.twimg.com https://tagmanager.google.com https://platform.twitter.com https://*.googleapis.com 'self' 'unsafe-inline' equals www.youtube.com (Youtube)
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2220046203.000001C315E8B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2218205829.000001C315E89000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Content-Security-Policydefault-src * data: blob: about: vkcalls:;script-src 'self' https://vk.com https://*.vk.com https://vk.ru https://*.vk.ru https://static.vk.me https://*.mail.ru https://r.mradx.net https://s.ytimg.com https://platform.twitter.com https://cdn.syndication.twimg.com https://www.instagram.com https://connect.facebook.net https://telegram.org https://*.yandex.ru https://*.google-analytics.com https://*.youtube.com https://maps.googleapis.com https://translate.googleapis.com https://*.google.com https://google.com https://*.vkpartner.ru https://*.moatads.com https://*.adlooxtracking.ru https://*.serving-sys.ru https://*.weborama-tech.ru https://*.gstatic.com https://*.google.ru https://securepubads.g.doubleclick.net https://cdn.ampproject.org https://www.googletagmanager.com https://googletagmanager.com https://*.vk-cdn.net https://*.hit.gemius.pl https://yastatic.net https://analytics.tiktok.com 'unsafe-inline' 'unsafe-eval' blob:;style-src https://vk.com https://*.vk.com https://vk.ru https://*.vk.ru https://static.vk.me https://r.mradx.net https://ton.twimg.com https://tagmanager.google.com https://platform.twitter.com https://*.googleapis.com 'self' 'unsafe-inline'% equals www.facebook.com (Facebook)
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2218205829.000001C315E89000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Content-Security-Policydefault-src * data: blob: about: vkcalls:;script-src 'self' https://vk.com https://*.vk.com https://vk.ru https://*.vk.ru https://static.vk.me https://*.mail.ru https://r.mradx.net https://s.ytimg.com https://platform.twitter.com https://cdn.syndication.twimg.com https://www.instagram.com https://connect.facebook.net https://telegram.org https://*.yandex.ru https://*.google-analytics.com https://*.youtube.com https://maps.googleapis.com https://translate.googleapis.com https://*.google.com https://google.com https://*.vkpartner.ru https://*.moatads.com https://*.adlooxtracking.ru https://*.serving-sys.ru https://*.weborama-tech.ru https://*.gstatic.com https://*.google.ru https://securepubads.g.doubleclick.net https://cdn.ampproject.org https://www.googletagmanager.com https://googletagmanager.com https://*.vk-cdn.net https://*.hit.gemius.pl https://yastatic.net https://analytics.tiktok.com 'unsafe-inline' 'unsafe-eval' blob:;style-src https://vk.com https://*.vk.com https://vk.ru https://*.vk.ru https://static.vk.me https://r.mradx.net https://ton.twimg.com https://tagmanager.google.com https://platform.twitter.com https://*.googleapis.com 'self' 'unsafe-inline'% equals www.twitter.com (Twitter)
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2220046203.000001C315E8B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2218205829.000001C315E89000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Content-Security-Policydefault-src * data: blob: about: vkcalls:;script-src 'self' https://vk.com https://*.vk.com https://vk.ru https://*.vk.ru https://static.vk.me https://*.mail.ru https://r.mradx.net https://s.ytimg.com https://platform.twitter.com https://cdn.syndication.twimg.com https://www.instagram.com https://connect.facebook.net https://telegram.org https://*.yandex.ru https://*.google-analytics.com https://*.youtube.com https://maps.googleapis.com https://translate.googleapis.com https://*.google.com https://google.com https://*.vkpartner.ru https://*.moatads.com https://*.adlooxtracking.ru https://*.serving-sys.ru https://*.weborama-tech.ru https://*.gstatic.com https://*.google.ru https://securepubads.g.doubleclick.net https://cdn.ampproject.org https://www.googletagmanager.com https://googletagmanager.com https://*.vk-cdn.net https://*.hit.gemius.pl https://yastatic.net https://analytics.tiktok.com 'unsafe-inline' 'unsafe-eval' blob:;style-src https://vk.com https://*.vk.com https://vk.ru https://*.vk.ru https://static.vk.me https://r.mradx.net https://ton.twimg.com https://tagmanager.google.com https://platform.twitter.com https://*.googleapis.com 'self' 'unsafe-inline'% equals www.youtube.com (Youtube)
                      Source: JIsbjewlnghreiCB15kllzTk.exe, Yz2gr4IqEnTCH1g642bo4hrO.exeString found in binary or memory: o Debian/1.6-7Mozilla/5.0 (compatible; Konqueror/3.3; Linux 2.6.8-gentoo-r3; X11;facebookscraper/1.0( http://www.facebook.com/sharescraper_help.php)2695994666715063979466701508701962594045780771442439172168272236806126959946667150639794667015087019630673557916 equals www.facebook.com (Facebook)
                      Source: CasPol.exe, 00000003.00000002.3402975175.00000000034A1000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000002.3402975175.00000000034E0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://185.172.128.59/ISetup2.exe
                      Source: CasPol.exe, 00000003.00000002.3402975175.00000000034A1000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000002.3402975175.00000000034E0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.175/server/ww15/AppGate2103v15.exe
                      Source: CasPol.exe, 00000003.00000002.3402975175.00000000034A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://5.42.64.17
                      Source: CasPol.exe, 00000003.00000002.3402975175.00000000034A1000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000002.3402975175.00000000034E0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://5.42.64.17/files/InstallCharityEngine_7.14.2_S16-01.exe$n
                      Source: CasPol.exe, 00000003.00000002.3402975175.00000000034A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://5.42.64.17/files/setup.exe
                      Source: CasPol.exe, 00000003.00000002.3402975175.00000000034E0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://5.42.64.17/files/setup.exe$n
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2123609804.000001C315EB6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2152191829.000001C315F49000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2164068721.000001C315F4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://5.42.65.64/download.php?pub=inte
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2128178380.000001C315F4B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://5.42.65.64/download.php?pub=inte$
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2229181999.000001C315EA2000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2182784722.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2241367516.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2198735771.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2181878238.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2215403785.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2218205829.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2123609804.000001C315EBB000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2184570072.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2179158263.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2220046203.000001C315EA2000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2179788596.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2174393508.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2181344004.000001C315EA4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://5.42.65.64/download.php?pub=inte-J
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2229181999.000001C315EA2000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2182784722.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2241367516.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2198735771.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2181878238.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2215403785.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2218205829.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2123609804.000001C315EBB000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2184570072.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2179158263.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2220046203.000001C315EA2000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2179788596.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2174393508.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2181344004.000001C315EA4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://5.42.65.64/download.php?pub=intekJ
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2240596988.000001C315E64000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2179158263.000001C315E64000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2184570072.000001C315E64000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2198735771.000001C315E64000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2174393508.000001C315E64000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2215403785.000001C315E64000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://5.42.66.10/download/th/getimage15.php
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2229181999.000001C315EA2000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2182784722.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2241367516.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2198735771.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2181878238.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2215403785.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2218205829.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2123609804.000001C315EBB000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2184570072.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2179158263.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2220046203.000001C315EA2000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2179788596.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2174393508.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2181344004.000001C315EA4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://5.42.66.10/download/th/retail.php9J
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2229181999.000001C315EA2000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2182784722.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2241367516.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2198735771.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2181878238.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2215403785.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2218205829.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2123609804.000001C315EBB000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2184570072.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2179158263.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2220046203.000001C315EA2000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2179788596.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2174393508.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2181344004.000001C315EA4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://5.42.66.10/download/th/retail.phpsJ(
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2229181999.000001C315EA2000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2182784722.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2241367516.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2198735771.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2181878238.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2215403785.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2218205829.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2123609804.000001C315EBB000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2184570072.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2179158263.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2220046203.000001C315EA2000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2179788596.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2174393508.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2181344004.000001C315EA4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://5.42.66.10/download/th/space.php
                      Source: JIsbjewlnghreiCB15kllzTk.exe, Yz2gr4IqEnTCH1g642bo4hrO.exeString found in binary or memory: http://archive.org/details/archive.org_bot)Mozilla/5.0
                      Source: T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000C.00000002.3392234781.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000E.00000000.1726890164.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000E.00000002.3399654118.000000006BA33000.00000002.00000001.01000000.0000001D.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000002.3407084581.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000001.1826449150.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000002.3322264502.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000001.2105606585.00000000000CA000.00000002.00000001.01000000.00000012.sdmpString found in binary or memory: http://autoupdate-staging.services.ams.osa/v4/v5/netinstaller///windows/x64v2/Fetching
                      Source: CasPol.exe, 00000003.00000002.3402975175.00000000034A1000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000002.3402975175.0000000003587000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000002.3402975175.000000000356B000.00000004.00000800.00020000.00000000.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000C.00000002.3392234781.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000C.00000003.1869063183.00000000034F8000.00000004.00000020.00020000.00000000.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000E.00000000.1726890164.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000002.3407084581.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000003.2122360742.000000000392A000.00000004.00000020.00020000.00000000.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000002.3322264502.00000000000CA000.00000002.00000001.01000000.00000012.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                      Source: JPl4ZLOvy3fY5RSXGk5s9Gl5.exe, 00000008.00000003.2351558121.0000000006751000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
                      Source: JPl4ZLOvy3fY5RSXGk5s9Gl5.exe, 00000008.00000003.2351558121.0000000006751000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
                      Source: CasPol.exe, 00000003.00000002.3402975175.00000000034A1000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000002.3402975175.0000000003587000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000002.3402975175.000000000356B000.00000004.00000800.00020000.00000000.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000C.00000002.3392234781.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000C.00000003.1869063183.00000000034F8000.00000004.00000020.00020000.00000000.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000E.00000000.1726890164.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000002.3407084581.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000003.2122360742.000000000392A000.00000004.00000020.00020000.00000000.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000002.3322264502.00000000000CA000.00000002.00000001.01000000.00000012.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                      Source: CasPol.exe, 00000003.00000002.3402975175.00000000034A1000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000002.3402975175.0000000003587000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000002.3402975175.000000000356B000.00000004.00000800.00020000.00000000.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000C.00000002.3392234781.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000C.00000003.1869063183.00000000034F8000.00000004.00000020.00020000.00000000.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000E.00000000.1726890164.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000002.3407084581.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000003.2122360742.000000000392A000.00000004.00000020.00020000.00000000.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000002.3322264502.00000000000CA000.00000002.00000001.01000000.00000012.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                      Source: CasPol.exe, 00000003.00000002.3402975175.00000000034A1000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000002.3402975175.0000000003587000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000002.3402975175.000000000356B000.00000004.00000800.00020000.00000000.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000C.00000002.3392234781.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000C.00000003.1869063183.00000000034F8000.00000004.00000020.00020000.00000000.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000E.00000000.1726890164.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000002.3407084581.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000003.2122360742.000000000392A000.00000004.00000020.00020000.00000000.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000002.3322264502.00000000000CA000.00000002.00000001.01000000.00000012.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                      Source: QHuPF3k4no0JL9DdGqDYtkCG.exe, 00000010.00000002.3380053915.0000000004D40000.00000040.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.g
                      Source: JIsbjewlnghreiCB15kllzTk.exe, 0000000A.00000002.3312022979.0000000000843000.00000040.00000001.01000000.00000008.sdmp, Yz2gr4IqEnTCH1g642bo4hrO.exe, 00000011.00000002.3312662666.0000000000843000.00000040.00000001.01000000.0000000F.sdmpString found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
                      Source: JIsbjewlnghreiCB15kllzTk.exe, 0000000A.00000002.3312022979.0000000000843000.00000040.00000001.01000000.00000008.sdmp, Yz2gr4IqEnTCH1g642bo4hrO.exe, 00000011.00000002.3312662666.0000000000843000.00000040.00000001.01000000.0000000F.sdmpString found in binary or memory: http://crl.globalsign.net/Root.crl0
                      Source: JIsbjewlnghreiCB15kllzTk.exe, 0000000A.00000002.3312022979.0000000000843000.00000040.00000001.01000000.00000008.sdmp, Yz2gr4IqEnTCH1g642bo4hrO.exe, 00000011.00000002.3312662666.0000000000843000.00000040.00000001.01000000.0000000F.sdmpString found in binary or memory: http://crl.globalsign.net/primobject.crl0
                      Source: JPl4ZLOvy3fY5RSXGk5s9Gl5.exe, 00000008.00000003.2351558121.0000000006751000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
                      Source: CasPol.exe, 00000003.00000002.3402975175.00000000034A1000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000002.3402975175.0000000003587000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000002.3402975175.000000000356B000.00000004.00000800.00020000.00000000.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000C.00000002.3392234781.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000C.00000003.1869063183.00000000034F8000.00000004.00000020.00020000.00000000.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000E.00000000.1726890164.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000002.3407084581.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000003.2122360742.000000000392A000.00000004.00000020.00020000.00000000.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000002.3322264502.00000000000CA000.00000002.00000001.01000000.00000012.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                      Source: JPl4ZLOvy3fY5RSXGk5s9Gl5.exe, 00000008.00000003.2351558121.0000000006751000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
                      Source: T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000C.00000002.3392234781.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000C.00000003.1869063183.00000000034F8000.00000004.00000020.00020000.00000000.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000E.00000000.1726890164.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000002.3407084581.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000003.2122360742.000000000392A000.00000004.00000020.00020000.00000000.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000002.3322264502.00000000000CA000.00000002.00000001.01000000.00000012.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                      Source: CasPol.exe, 00000003.00000002.3402975175.00000000034A1000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000002.3402975175.0000000003587000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000002.3402975175.000000000356B000.00000004.00000800.00020000.00000000.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000C.00000002.3392234781.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000C.00000003.1869063183.00000000034F8000.00000004.00000020.00020000.00000000.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000E.00000000.1726890164.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000002.3407084581.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000003.2122360742.000000000392A000.00000004.00000020.00020000.00000000.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000002.3322264502.00000000000CA000.00000002.00000001.01000000.00000012.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                      Source: syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000002.3322264502.00000000000CA000.00000002.00000001.01000000.00000012.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                      Source: JPl4ZLOvy3fY5RSXGk5s9Gl5.exe, 00000008.00000003.2351558121.0000000006751000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
                      Source: JPl4ZLOvy3fY5RSXGk5s9Gl5.exe, 00000008.00000003.2351558121.0000000006751000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
                      Source: T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000C.00000002.3392234781.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000C.00000003.1869063183.00000000034F8000.00000004.00000020.00020000.00000000.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000E.00000000.1726890164.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000002.3407084581.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000003.2122360742.000000000392A000.00000004.00000020.00020000.00000000.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000002.3322264502.00000000000CA000.00000002.00000001.01000000.00000012.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
                      Source: JPl4ZLOvy3fY5RSXGk5s9Gl5.exe, 00000008.00000003.2351558121.0000000006751000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
                      Source: JPl4ZLOvy3fY5RSXGk5s9Gl5.exe, 00000008.00000003.2351558121.0000000006751000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
                      Source: JIsbjewlnghreiCB15kllzTk.exe, JIsbjewlnghreiCB15kllzTk.exe, 0000000A.00000002.3312022979.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Yz2gr4IqEnTCH1g642bo4hrO.exe, Yz2gr4IqEnTCH1g642bo4hrO.exe, 00000011.00000002.3312662666.0000000000400000.00000040.00000001.01000000.0000000F.sdmpString found in binary or memory: http://devlog.gregarius.net/docs/ua)Links
                      Source: JPl4ZLOvy3fY5RSXGk5s9Gl5.exe, 00000008.00000003.2351558121.0000000006365000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://download.iolo.net
                      Source: JPl4ZLOvy3fY5RSXGk5s9Gl5.exe, 00000008.00000003.2351558121.0000000006365000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://google.com
                      Source: JIsbjewlnghreiCB15kllzTk.exe, Yz2gr4IqEnTCH1g642bo4hrO.exeString found in binary or memory: http://grub.org)Mozilla/5.0
                      Source: JIsbjewlnghreiCB15kllzTk.exe, Yz2gr4IqEnTCH1g642bo4hrO.exeString found in binary or memory: http://help.yahoo.com/help/us/ysearch/slurp)SonyEricssonK550i/R1JD
                      Source: JIsbjewlnghreiCB15kllzTk.exe, 0000000A.00000002.3312022979.0000000000ACD000.00000040.00000001.01000000.00000008.sdmp, Yz2gr4IqEnTCH1g642bo4hrO.exe, 00000011.00000002.3312662666.0000000000ACD000.00000040.00000001.01000000.0000000F.sdmp, Vh2fqCjm9jPtwuJrcfbbwxLj.exe, 00000018.00000002.3312827601.0000000000ACD000.00000040.00000001.01000000.00000015.sdmpString found in binary or memory: http://https://_bad_pdb_file.pdb
                      Source: JIsbjewlnghreiCB15kllzTk.exe, JIsbjewlnghreiCB15kllzTk.exe, 0000000A.00000002.3312022979.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Yz2gr4IqEnTCH1g642bo4hrO.exe, Yz2gr4IqEnTCH1g642bo4hrO.exe, 00000011.00000002.3312662666.0000000000400000.00000040.00000001.01000000.0000000F.sdmpString found in binary or memory: http://invalidlog.txtlookup
                      Source: T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000C.00000002.3392234781.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000E.00000000.1726890164.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000E.00000002.3399654118.000000006BA33000.00000002.00000001.01000000.0000001D.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000002.3407084581.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000001.1826449150.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000002.3322264502.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000001.2105606585.00000000000CA000.00000002.00000001.01000000.00000012.sdmpString found in binary or memory: http://localhost:3001api/prefs/?product=$1&version=$2..
                      Source: JIsbjewlnghreiCB15kllzTk.exe, JIsbjewlnghreiCB15kllzTk.exe, 0000000A.00000002.3312022979.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Yz2gr4IqEnTCH1g642bo4hrO.exe, Yz2gr4IqEnTCH1g642bo4hrO.exe, 00000011.00000002.3312662666.0000000000400000.00000040.00000001.01000000.0000000F.sdmpString found in binary or memory: http://localhost:3433/https://duniadekho.baridna:
                      Source: JIsbjewlnghreiCB15kllzTk.exe, Yz2gr4IqEnTCH1g642bo4hrO.exeString found in binary or memory: http://misc.yahoo.com.cn/help.html)QueryPerformanceFrequency
                      Source: CasPol.exe, 00000003.00000002.3402975175.00000000034A1000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000002.3402975175.00000000034E0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://net.geo.opera.com/opera/stable/windows/?utm_medium=apb&utm_source=mkt&utm_campaign=767__123
                      Source: CasPol.exe, 00000003.00000002.3402975175.00000000034A1000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000002.3402975175.0000000003587000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000002.3402975175.000000000356B000.00000004.00000800.00020000.00000000.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000C.00000002.3392234781.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000C.00000003.1869063183.00000000034F8000.00000004.00000020.00020000.00000000.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000E.00000000.1726890164.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000002.3407084581.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000003.2122360742.000000000392A000.00000004.00000020.00020000.00000000.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000002.3322264502.00000000000CA000.00000002.00000001.01000000.00000012.sdmpString found in binary or memory: http://ocsp.digicert.com0
                      Source: CasPol.exe, 00000003.00000002.3402975175.00000000034A1000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000002.3402975175.0000000003587000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000002.3402975175.000000000356B000.00000004.00000800.00020000.00000000.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000C.00000002.3392234781.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000C.00000003.1869063183.00000000034F8000.00000004.00000020.00020000.00000000.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000E.00000000.1726890164.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000002.3407084581.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000003.2122360742.000000000392A000.00000004.00000020.00020000.00000000.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000002.3322264502.00000000000CA000.00000002.00000001.01000000.00000012.sdmpString found in binary or memory: http://ocsp.digicert.com0A
                      Source: CasPol.exe, 00000003.00000002.3402975175.00000000034A1000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000002.3402975175.0000000003587000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000002.3402975175.000000000356B000.00000004.00000800.00020000.00000000.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000C.00000002.3392234781.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000C.00000003.1869063183.00000000034F8000.00000004.00000020.00020000.00000000.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000E.00000000.1726890164.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000002.3407084581.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000003.2122360742.000000000392A000.00000004.00000020.00020000.00000000.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000002.3322264502.00000000000CA000.00000002.00000001.01000000.00000012.sdmpString found in binary or memory: http://ocsp.digicert.com0C
                      Source: JPl4ZLOvy3fY5RSXGk5s9Gl5.exe, 00000008.00000003.2351558121.0000000006751000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0H
                      Source: JPl4ZLOvy3fY5RSXGk5s9Gl5.exe, 00000008.00000003.2351558121.0000000006751000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0I
                      Source: CasPol.exe, 00000003.00000002.3402975175.00000000034A1000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000002.3402975175.0000000003587000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000002.3402975175.000000000356B000.00000004.00000800.00020000.00000000.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000C.00000002.3392234781.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000C.00000003.1869063183.00000000034F8000.00000004.00000020.00020000.00000000.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000E.00000000.1726890164.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000002.3407084581.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000003.2122360742.000000000392A000.00000004.00000020.00020000.00000000.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000002.3322264502.00000000000CA000.00000002.00000001.01000000.00000012.sdmpString found in binary or memory: http://ocsp.digicert.com0X
                      Source: JPl4ZLOvy3fY5RSXGk5s9Gl5.exe, 00000008.00000003.2351558121.0000000006751000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0
                      Source: 3wiDjAuNAMEeKc2Sp8AJvkHN.exe, 00000012.00000002.1916115431.00007FF78980B000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: http://richclarkdesign.com
                      Source: CasPol.exe, 00000003.00000002.3402975175.00000000034A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: JIsbjewlnghreiCB15kllzTk.exe, JIsbjewlnghreiCB15kllzTk.exe, 0000000A.00000002.3312022979.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Yz2gr4IqEnTCH1g642bo4hrO.exe, Yz2gr4IqEnTCH1g642bo4hrO.exe, 00000011.00000002.3312662666.0000000000400000.00000040.00000001.01000000.0000000F.sdmpString found in binary or memory: http://search.msn.com/msnbot.htm)msnbot/1.1
                      Source: JIsbjewlnghreiCB15kllzTk.exe, JIsbjewlnghreiCB15kllzTk.exe, 0000000A.00000002.3312022979.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Yz2gr4IqEnTCH1g642bo4hrO.exe, Yz2gr4IqEnTCH1g642bo4hrO.exe, 00000011.00000002.3312662666.0000000000400000.00000040.00000001.01000000.0000000F.sdmpString found in binary or memory: http://search.msn.com/msnbot.htm)net/http:
                      Source: Yz2gr4IqEnTCH1g642bo4hrO.exe, Yz2gr4IqEnTCH1g642bo4hrO.exe, 00000011.00000002.3312662666.0000000000400000.00000040.00000001.01000000.0000000F.sdmpString found in binary or memory: http://search.msn.com/msnbot.htm)pkcs7:
                      Source: JPl4ZLOvy3fY5RSXGk5s9Gl5.exe, 00000008.00000003.2351558121.0000000006365000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://svc.iolo.com/__svc/sbv/DownloadManager.ashx
                      Source: JIsbjewlnghreiCB15kllzTk.exe, Yz2gr4IqEnTCH1g642bo4hrO.exeString found in binary or memory: http://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.oniontls:
                      Source: JIsbjewlnghreiCB15kllzTk.exe, Yz2gr4IqEnTCH1g642bo4hrO.exeString found in binary or memory: http://www.alexa.com/help/webmasters;
                      Source: JIsbjewlnghreiCB15kllzTk.exe, Yz2gr4IqEnTCH1g642bo4hrO.exeString found in binary or memory: http://www.alltheweb.com/help/webmaster/crawler)Mozilla/5.0
                      Source: JIsbjewlnghreiCB15kllzTk.exe, Yz2gr4IqEnTCH1g642bo4hrO.exeString found in binary or memory: http://www.archive.org/details/archive.org_bot)Opera/9.80
                      Source: JIsbjewlnghreiCB15kllzTk.exe, Yz2gr4IqEnTCH1g642bo4hrO.exeString found in binary or memory: http://www.avantbrowser.com)MOT-V9mm/
                      Source: JIsbjewlnghreiCB15kllzTk.exe, 0000000A.00000002.3312022979.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Yz2gr4IqEnTCH1g642bo4hrO.exe, 00000011.00000002.3312662666.0000000000400000.00000040.00000001.01000000.0000000F.sdmpString found in binary or memory: http://www.avantbrowser.com)MOT-V9mm/00.62
                      Source: JIsbjewlnghreiCB15kllzTk.exe, JIsbjewlnghreiCB15kllzTk.exe, 0000000A.00000002.3312022979.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Yz2gr4IqEnTCH1g642bo4hrO.exe, Yz2gr4IqEnTCH1g642bo4hrO.exe, 00000011.00000002.3312662666.0000000000400000.00000040.00000001.01000000.0000000F.sdmpString found in binary or memory: http://www.baidu.com/search/spider.htm)MobileSafari/600.1.4
                      Source: JIsbjewlnghreiCB15kllzTk.exe, Yz2gr4IqEnTCH1g642bo4hrO.exeString found in binary or memory: http://www.bloglines.com)Frame
                      Source: CasPol.exe, 00000003.00000002.3402975175.00000000034A1000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000002.3402975175.0000000003587000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000002.3402975175.000000000356B000.00000004.00000800.00020000.00000000.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000C.00000002.3392234781.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000C.00000003.1869063183.00000000034F8000.00000004.00000020.00020000.00000000.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000E.00000000.1726890164.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000002.3407084581.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000003.2122360742.000000000392A000.00000004.00000020.00020000.00000000.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000002.3322264502.00000000000CA000.00000002.00000001.01000000.00000012.sdmpString found in binary or memory: http://www.digicert.com/CPS0
                      Source: JPl4ZLOvy3fY5RSXGk5s9Gl5.exe, 00000008.00000003.2351558121.0000000006751000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
                      Source: JIsbjewlnghreiCB15kllzTk.exe, Yz2gr4IqEnTCH1g642bo4hrO.exeString found in binary or memory: http://www.everyfeed.com)explicit
                      Source: JIsbjewlnghreiCB15kllzTk.exe, Yz2gr4IqEnTCH1g642bo4hrO.exeString found in binary or memory: http://www.exabot.com/go/robot)Opera/9.80
                      Source: JIsbjewlnghreiCB15kllzTk.exe, Yz2gr4IqEnTCH1g642bo4hrO.exeString found in binary or memory: http://www.google.c
                      Source: Yz2gr4IqEnTCH1g642bo4hrO.exeString found in binary or memory: http://www.google.com/bot.html)Mozilla/5.0
                      Source: JIsbjewlnghreiCB15kllzTk.exe, Yz2gr4IqEnTCH1g642bo4hrO.exeString found in binary or memory: http://www.google.com/bot.html)crypto/ecdh:
                      Source: JIsbjewlnghreiCB15kllzTk.exe, JIsbjewlnghreiCB15kllzTk.exe, 0000000A.00000002.3312022979.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Yz2gr4IqEnTCH1g642bo4hrO.exe, Yz2gr4IqEnTCH1g642bo4hrO.exe, 00000011.00000002.3312662666.0000000000400000.00000040.00000001.01000000.0000000F.sdmpString found in binary or memory: http://www.google.com/feedfetcher.html)HKLM
                      Source: JIsbjewlnghreiCB15kllzTk.exe, Yz2gr4IqEnTCH1g642bo4hrO.exeString found in binary or memory: http://www.googlebot.com/bot.html)Links
                      Source: JPl4ZLOvy3fY5RSXGk5s9Gl5.exe, 00000008.00000003.2351558121.0000000006365000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.indyproject.org/
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2151788726.000001C316035000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.innosetup.com
                      Source: CasPol.exe, 00000003.00000002.3402975175.00000000034A1000.00000004.00000800.00020000.00000000.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000C.00000002.3392234781.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000C.00000003.1869063183.00000000034F8000.00000004.00000020.00020000.00000000.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000E.00000000.1726890164.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000002.3407084581.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000003.2122360742.000000000392A000.00000004.00000020.00020000.00000000.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000002.3322264502.00000000000CA000.00000002.00000001.01000000.00000012.sdmpString found in binary or memory: http://www.opera.com0
                      Source: JIsbjewlnghreiCB15kllzTk.exe, Yz2gr4IqEnTCH1g642bo4hrO.exeString found in binary or memory: http://www.spidersoft.com)
                      Source: 3wiDjAuNAMEeKc2Sp8AJvkHN.exe, 00000012.00000002.1863098808.00007FF788E51000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: http://www.winimage.com/zLibDll
                      Source: JIsbjewlnghreiCB15kllzTk.exe, Yz2gr4IqEnTCH1g642bo4hrO.exeString found in binary or memory: http://yandex.com/bots)Opera
                      Source: JIsbjewlnghreiCB15kllzTk.exe, Yz2gr4IqEnTCH1g642bo4hrO.exeString found in binary or memory: http://yandex.com/bots)Opera/9.51
                      Source: syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000001.2105606585.00000000000CA000.00000002.00000001.01000000.00000012.sdmpString found in binary or memory: https://addons.opera.com/en/extensions/details/dify-cashback/
                      Source: T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000C.00000002.3392234781.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000E.00000000.1726890164.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000E.00000002.3399654118.000000006BA33000.00000002.00000001.01000000.0000001D.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000002.3407084581.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000001.1826449150.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000002.3322264502.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000001.2105606585.00000000000CA000.00000002.00000001.01000000.00000012.sdmpString found in binary or memory: https://addons.opera.com/extensions/download/be76331b95dfc399cd776d2fc68021e0db03cc4f.opera.com
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2240596988.000001C315E8B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2229181999.000001C315EA2000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2220046203.000001C315E8B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2218205829.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2198735771.000001C315E6B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2220046203.000001C315EA2000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2229181999.000001C315E89000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2218205829.000001C315E89000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2197888344.000001C315F71000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://analytics.tiktok.com
                      Source: T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000C.00000002.3392234781.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000E.00000000.1726890164.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000E.00000002.3399654118.000000006BA33000.00000002.00000001.01000000.0000001D.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000002.3407084581.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000001.1826449150.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000002.3322264502.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000001.2105606585.00000000000CA000.00000002.00000001.01000000.00000012.sdmpString found in binary or memory: https://autoupdate.geo.opera.com/
                      Source: T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000C.00000002.3392234781.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000E.00000000.1726890164.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000E.00000002.3399654118.000000006BA33000.00000002.00000001.01000000.0000001D.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000002.3407084581.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000001.1826449150.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000002.3322264502.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000001.2105606585.00000000000CA000.00000002.00000001.01000000.00000012.sdmpString found in binary or memory: https://autoupdate.geo.opera.com/geolocation/
                      Source: T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000C.00000002.3392234781.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000E.00000000.1726890164.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000E.00000002.3399654118.000000006BA33000.00000002.00000001.01000000.0000001D.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000002.3407084581.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000001.1826449150.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000002.3322264502.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000001.2105606585.00000000000CA000.00000002.00000001.01000000.00000012.sdmpString found in binary or memory: https://autoupdate.geo.opera.com/https://autoupdate.geo.opera.com/geolocation/OperaDesktophttps://cr
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2184570072.000001C315EC9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://baldurgatez.com/
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2162785597.000001C315F90000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://baldurgatez.com/7725eaa6592c80f8124e769b4e8a07f7.exeUniverse
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2181344004.000001C315E69000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2181878238.000001C315E6A000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2215403785.000001C315E69000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2123609804.000001C315E6D000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2220046203.000001C315E69000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2182784722.000001C315E6C000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2184570072.000001C315E6B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2179788596.000001C315E6A000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2174393508.000001C315E69000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2198735771.000001C315E6B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2240596988.000001C315E6B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2241367516.000001C315E6D000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2218205829.000001C315E69000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2179158263.000001C315E69000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2229181999.000001C315E6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://baldurgatez.com:80/7725eaa6592c80f8124e769b4e8a07f7.exe
                      Source: Yz2gr4IqEnTCH1g642bo4hrO.exe, 00000011.00000002.3312662666.0000000000400000.00000040.00000001.01000000.0000000F.sdmpString found in binary or memory: https://blockchain.infoindex
                      Source: JIsbjewlnghreiCB15kllzTk.exe, Yz2gr4IqEnTCH1g642bo4hrO.exeString found in binary or memory: https://blockstream.info/apiinva
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2184570072.000001C315EC9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://c.574859385.xyz/
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2181344004.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2184570072.000001C315EC9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://c.574859385.xyz/525403/setup.exe
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2181878238.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2181344004.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2174393508.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2179788596.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2182784722.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2179158263.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2184570072.000001C315EC9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://carthewasher.net/
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2174393508.000001C315E8B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2198735771.000001C315E64000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2174393508.000001C315E64000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2215403785.000001C315E64000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://carthewasher.net/bfdb39976dca392638e6450f1175fa96/cad54ba5b01423b1af8ec10ab5719d97.exe
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2240596988.000001C315E8B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2229181999.000001C315EA2000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2220046203.000001C315E8B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2218205829.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2198735771.000001C315E6B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2220046203.000001C315EA2000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2229181999.000001C315E89000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2218205829.000001C315E89000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2197888344.000001C315F71000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ampproject.org
                      Source: JIsbjewlnghreiCB15kllzTk.exe, Yz2gr4IqEnTCH1g642bo4hrO.exeString found in binary or memory: https://cdn.discordapp.com/attachments/1088058556286251082/1111230812579450950/TsgVtmYNoFT.zipMozill
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2240596988.000001C315E8B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2229181999.000001C315EA2000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2220046203.000001C315E8B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2218205829.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2198735771.000001C315E6B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2220046203.000001C315EA2000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2229181999.000001C315E89000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2218205829.000001C315E89000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2197888344.000001C315F71000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.syndication.twimg.com
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2240596988.000001C315E8B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2229181999.000001C315EA2000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2220046203.000001C315E8B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2218205829.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2198735771.000001C315E6B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2220046203.000001C315EA2000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2229181999.000001C315E89000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2218205829.000001C315E89000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2197888344.000001C315F71000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://connect.facebook.net
                      Source: CasPol.exe, 00000003.00000002.3402975175.00000000034DC000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000002.3402975175.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://counter.yadro.ru/hit?
                      Source: T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000C.00000002.3392234781.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000E.00000000.1726890164.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000E.00000002.3399654118.000000006BA33000.00000002.00000001.01000000.0000001D.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000002.3407084581.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000001.1826449150.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000002.3322264502.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000001.2105606585.00000000000CA000.00000002.00000001.01000000.00000012.sdmpString found in binary or memory: https://crashpad.chromium.org/
                      Source: T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000C.00000002.3392234781.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000E.00000000.1726890164.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000E.00000002.3399654118.000000006BA33000.00000002.00000001.01000000.0000001D.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000002.3407084581.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000001.1826449150.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000002.3322264502.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000001.2105606585.00000000000CA000.00000002.00000001.01000000.00000012.sdmpString found in binary or memory: https://crashpad.chromium.org/bug/new
                      Source: T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000C.00000002.3392234781.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000E.00000000.1726890164.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000E.00000002.3399654118.000000006BA33000.00000002.00000001.01000000.0000001D.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000002.3407084581.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000001.1826449150.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000002.3322264502.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000001.2105606585.00000000000CA000.00000002.00000001.01000000.00000012.sdmpString found in binary or memory: https://crashpad.chromium.org/https://crashpad.chromium.org/bug/new
                      Source: syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000002.3375978715.0000000001540000.00000004.00000020.00020000.00000000.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000002.3411019967.0000000026E24000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://crashstats-collector.opera.com/collector/submit
                      Source: T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000E.00000002.3312401333.0000000000C08000.00000004.00000020.00020000.00000000.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000E.00000002.3379675307.000000004E414000.00000004.00001000.00020000.00000000.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000002.3375978715.0000000001548000.00000004.00000020.00020000.00000000.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000002.3410961097.0000000026E14000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://crashstats-collector.opera.com/collector/submit--annotation=channel=Stable--annotation=plat=
                      Source: T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000E.00000002.3397102920.000000004E4B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://crashstats-collector.opera.com/collector/submit--monitor-self-annotation=ptype=crashpad-hand
                      Source: T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000E.00000002.3379731294.000000004E424000.00000004.00001000.00020000.00000000.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000002.3411019967.0000000026E24000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://crashstats-collector.opera.com/collector/submit0x298
                      Source: T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000E.00000002.3397102920.000000004E4B0000.00000004.00001000.00020000.00000000.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000E.00000002.3387261111.000000004E454000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://crashstats-collector.opera.com/collector/submitC:
                      Source: T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000E.00000002.3388590431.000000004E45C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://crashstats-collector.opera.com/collector/submitNE
                      Source: T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000E.00000002.3387261111.000000004E454000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://crashstats-collector.opera.com/collector/submitNEB
                      Source: 0XytwVHS3WE9jtGuuRid6GiP.exe, 0000001C.00000002.3375964765.0000000000ACB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/
                      Source: 0XytwVHS3WE9jtGuuRid6GiP.exe, 0000001C.00000002.3375964765.0000000000ACB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/2
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2197680891.000001C316094000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2195830948.000001C316201000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C316001000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2196034426.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2224912742.000001C316273000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.vk.com
                      Source: T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000C.00000002.3392234781.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000E.00000000.1726890164.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000E.00000002.3399654118.000000006BA33000.00000002.00000001.01000000.0000001D.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000002.3407084581.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000001.1826449150.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000002.3322264502.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000001.2105606585.00000000000CA000.00000002.00000001.01000000.00000012.sdmpString found in binary or memory: https://download.opera.com/download/get/?partner=www&opsys=Windows&utm_source=netinstaller
                      Source: syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000001.2105606585.00000000000CA000.00000002.00000001.01000000.00000012.sdmpString found in binary or memory: https://features.opera-api2.com/api/v2/features?country=%s&language=%s&uuid=%s&product=%s&channel=%s
                      Source: T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000C.00000002.3392234781.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000E.00000000.1726890164.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000002.3407084581.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000001.1826449150.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000002.3322264502.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000001.2105606585.00000000000CA000.00000002.00000001.01000000.00000012.sdmpString found in binary or memory: https://gamemaker.io
                      Source: T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000C.00000002.3392234781.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000E.00000000.1726890164.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000002.3407084581.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000001.1826449150.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000002.3322264502.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000001.2105606585.00000000000CA000.00000002.00000001.01000000.00000012.sdmpString found in binary or memory: https://gamemaker.io)
                      Source: T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000C.00000002.3392234781.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000E.00000000.1726890164.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000002.3407084581.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000001.1826449150.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000002.3322264502.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000001.2105606585.00000000000CA000.00000002.00000001.01000000.00000012.sdmpString found in binary or memory: https://gamemaker.io/en/education.
                      Source: T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000C.00000002.3392234781.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000E.00000000.1726890164.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000002.3407084581.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000001.1826449150.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000002.3322264502.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000001.2105606585.00000000000CA000.00000002.00000001.01000000.00000012.sdmpString found in binary or memory: https://gamemaker.io/en/get.
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2181344004.000001C315E69000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2181878238.000001C315E6A000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2174178888.000001C315F91000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2155661442.000001C315F3D000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2182784722.000001C315E6C000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2184570072.000001C315E6B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2179788596.000001C315E6A000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2174393508.000001C315E69000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2198735771.000001C315E6B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2164068721.000001C315F3D000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2176714058.000001C315F91000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2179158263.000001C315E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gigachadfanclub.org/bfdb39976dca392638e6450f1175fa96/7725eaa6592c80f8124e769b4e8a07f7.exe
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2174393508.000001C315E8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gigachadfanclub.org/bfdb39976dca392638e6450f1175fa96/7725eaa6592c80f8124e769b4e8a07f7.exe4V
                      Source: JIsbjewlnghreiCB15kllzTk.exe, Yz2gr4IqEnTCH1g642bo4hrO.exeString found in binary or memory: https://github.com/Snawoot/opera-proxy/releases/download/v1.2.2/opera-proxy.windows-386.exeBlackBerr
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2240596988.000001C315E8B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2229181999.000001C315EA2000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2220046203.000001C315E8B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2218205829.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2198735771.000001C315E6B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2220046203.000001C315EA2000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2229181999.000001C315E89000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2218205829.000001C315E89000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2197888344.000001C315F71000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://google.com
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2240596988.000001C315E8B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2229181999.000001C315EA2000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2220046203.000001C315E8B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2218205829.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2198735771.000001C315E6B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2220046203.000001C315EA2000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2229181999.000001C315E89000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2218205829.000001C315E89000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2197888344.000001C315F71000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://googletagmanager.com
                      Source: T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000C.00000002.3392234781.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000E.00000000.1726890164.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000002.3407084581.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000001.1826449150.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000002.3322264502.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000001.2105606585.00000000000CA000.00000002.00000001.01000000.00000012.sdmpString found in binary or memory: https://help.instagram.com/581066165581870;
                      Source: T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000C.00000002.3392234781.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000E.00000000.1726890164.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000E.00000002.3399654118.000000006BA33000.00000002.00000001.01000000.0000001D.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000002.3407084581.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000001.1826449150.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000002.3322264502.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000001.2105606585.00000000000CA000.00000002.00000001.01000000.00000012.sdmpString found in binary or memory: https://help.opera.com/latest/
                      Source: 3wiDjAuNAMEeKc2Sp8AJvkHN.exe, 00000012.00000002.1863098808.00007FF788E51000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: https://ipinfo.io/namehttps://ipgeolocation.io/status
                      Source: CasPol.exe, 00000003.00000002.3402975175.00000000034A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://iplogger.com/1djqU4
                      Source: CasPol.exe, 00000003.00000002.3402975175.00000000034DC000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000002.3402975175.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://iplogger.org/
                      Source: CasPol.exe, 00000003.00000002.3402975175.00000000034DC000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000002.3402975175.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://iplogger.org/privacy/
                      Source: CasPol.exe, 00000003.00000002.3402975175.00000000034DC000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000002.3402975175.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://iplogger.org/rules/
                      Source: CasPol.exe, 00000003.00000002.3402975175.00000000034E0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://jonathantwo.com
                      Source: CasPol.exe, 00000003.00000002.3402975175.0000000003587000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000002.3402975175.000000000356B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://jonathantwo.com/bfdb39976dca392638e6450f1175fa96/6779d89b7a368f4f3f340b50a9d18d71.exe
                      Source: T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000C.00000002.3392234781.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000E.00000000.1726890164.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000002.3407084581.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000001.1826449150.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000002.3322264502.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000001.2105606585.00000000000CA000.00000002.00000001.01000000.00000012.sdmpString found in binary or memory: https://legal.opera.com/eula/computers
                      Source: syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000001.2105606585.00000000000CA000.00000002.00000001.01000000.00000012.sdmpString found in binary or memory: https://legal.opera.com/privacy
                      Source: T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000C.00000002.3392234781.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000E.00000000.1726890164.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000002.3407084581.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000001.1826449150.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000002.3322264502.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000001.2105606585.00000000000CA000.00000002.00000001.01000000.00000012.sdmpString found in binary or memory: https://legal.opera.com/privacy.
                      Source: T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000C.00000002.3392234781.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000E.00000000.1726890164.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000002.3407084581.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000001.1826449150.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000002.3322264502.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000001.2105606585.00000000000CA000.00000002.00000001.01000000.00000012.sdmpString found in binary or memory: https://legal.opera.com/terms
                      Source: syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000001.2105606585.00000000000CA000.00000002.00000001.01000000.00000012.sdmpString found in binary or memory: https://legal.opera.com/terms.
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2254455775.000001C31662F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/crypto/rc4:
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2250598835.000001C31606B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2214896326.000001C316025000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2201459715.000001C315E57000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216252408.000001C316025000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2198566834.000001C316079000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216951657.000001C316056000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219601594.000001C316025000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216252408.000001C316055000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C316001000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216913004.000001C31608C000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216951657.000001C31608B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2198566834.000001C316056000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2196034426.000001C316055000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2224912742.000001C316273000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216252408.000001C31608B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.vk.com/
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2195830948.000001C316201000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C316001000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2196034426.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2224912742.000001C316273000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.vk.com/?act=login
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2250598835.000001C31606B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2214896326.000001C316025000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2201459715.000001C315E57000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216252408.000001C316025000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2198566834.000001C316079000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216951657.000001C316056000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219601594.000001C316025000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216252408.000001C316055000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C316001000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216913004.000001C31608C000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216951657.000001C31608B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2198566834.000001C316056000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2196034426.000001C316055000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2224912742.000001C316273000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216252408.000001C31608B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.vk.com/?act=logout&hash=ff5c930db01817b629&_origin=https%3A%2F%2Fvk.com&lrt=BDpxh3TFcr
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2254455775.000001C31662F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://management.azure.cominvalid
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2254455775.000001C31662F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://management.chinacloudapi.cnP224
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2254455775.000001C31662F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://management.core.chinacloudapi.cnchacha20poly1305:
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2254455775.000001C31662F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://management.core.usgovcloudapi.netGODEBUG
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2254455775.000001C31662F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://management.usgovcloudapi.nethttps://management.core.windows.net/edwards25519:
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2240596988.000001C315E8B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2229181999.000001C315EA2000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2220046203.000001C315E8B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2218205829.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2198735771.000001C315E6B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2220046203.000001C315EA2000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2229181999.000001C315E89000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2218205829.000001C315E89000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2197888344.000001C315F71000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://maps.googleapis.com
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2229181999.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2218205829.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2123609804.000001C315EC3000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2181878238.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2181344004.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2240596988.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2215403785.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2198735771.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2174393508.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2179788596.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2182784722.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2179158263.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2220046203.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2184570072.000001C315EC9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://meet.crazyfigs.top/
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2229181999.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2218205829.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2123609804.000001C315EC3000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2181878238.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2181344004.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2240596988.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2215403785.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2198735771.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2174393508.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2179788596.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2182784722.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2179158263.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2220046203.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2184570072.000001C315EC9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://meet.crazyfigs.top/:
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2136505238.000001C315F49000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2152191829.000001C315F49000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2164068721.000001C315F4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://meet.crazyfigs.top/style/060.exe
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2136505238.000001C315F49000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2152191829.000001C315F49000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2164068721.000001C315F4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://meet.crazyfigs.top/style/060.exe$
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2136505238.000001C315F49000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2152191829.000001C315F49000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2164068721.000001C315F4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://meet.crazyfigs.top/style/060.exeV
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2136505238.000001C315F49000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2152191829.000001C315F49000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://meet.crazyfigs.top/style/060.exeb
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2136505238.000001C315F49000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://meet.crazyfigs.top/style/060.exez
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2123609804.000001C315EC3000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2182784722.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2241367516.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2198735771.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2181878238.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2215403785.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2218205829.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2123609804.000001C315EBB000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2184570072.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2179158263.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2220046203.000001C315EA2000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2179788596.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2174393508.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2181344004.000001C315EA4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://meet.crazyfigs.top:80/style/060.exe
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2229181999.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2218205829.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2123609804.000001C315EC3000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2181878238.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2181344004.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2240596988.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2215403785.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2198735771.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2174393508.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2179788596.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2182784722.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2179158263.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2220046203.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2184570072.000001C315EC9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://monoblocked.com/
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2164068721.000001C315F4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://monoblocked.com/525403/setup.exe
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2164068721.000001C315F4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://monoblocked.com/525403/setup.exe(
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2181878238.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2181344004.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2174393508.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2179788596.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2179158263.000001C315EC9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://monoblocked.com/525403/setup.exeom/
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2164068721.000001C315F4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://monoblocked.com/525403/setup.exep
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2229181999.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2218205829.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2123609804.000001C315EC3000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2181878238.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2181344004.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2240596988.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2215403785.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2198735771.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2174393508.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2179788596.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2182784722.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2179158263.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2220046203.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2184570072.000001C315EC9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://monoblocked.com/z
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2181344004.000001C315EA4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://monoblocked.com:80/525403/setup.exe
                      Source: T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000C.00000002.3392234781.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000E.00000000.1726890164.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000E.00000002.3399654118.000000006BA33000.00000002.00000001.01000000.0000001D.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000002.3407084581.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000001.1826449150.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000002.3322264502.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000001.2105606585.00000000000CA000.00000002.00000001.01000000.00000012.sdmpString found in binary or memory: https://opera.com/privacy
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2250598835.000001C31606B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2214896326.000001C316025000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2201459715.000001C315E57000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216252408.000001C316025000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2198566834.000001C316079000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216951657.000001C316056000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219601594.000001C316025000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216252408.000001C316055000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C316001000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216913004.000001C31608C000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2198566834.000001C316056000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2196034426.000001C316055000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2224912742.000001C316273000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216252408.000001C31608B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://papi.vk.com/pushsse/ruim
                      Source: CasPol.exe, 00000003.00000002.3402975175.00000000034A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/V6VJsrV3
                      Source: SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exe, 00000000.00000002.2411331877.000001E7B7D38000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000002.3311663112.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/V6VJsrV31https://yip.su/RNWPd.exe7https://iplogger.com/1djqU4
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2197888344.000001C315F71000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://platform.twitter.com
                      Source: T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000C.00000002.3392234781.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000E.00000000.1726890164.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000002.3407084581.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000001.1826449150.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000002.3322264502.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000001.2105606585.00000000000CA000.00000002.00000001.01000000.00000012.sdmpString found in binary or memory: https://policies.google.com/terms;
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2197888344.000001C315F71000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://r.mradx.net
                      Source: JIsbjewlnghreiCB15kllzTk.exe, Yz2gr4IqEnTCH1g642bo4hrO.exeString found in binary or memory: https://raw.githubusercontent.com/spesmilo/electrum/master/electrum/servers.jsonsize
                      Source: CasPol.exe, 00000003.00000002.3402975175.00000000034E0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://realdeepai.org/6779d89b7a368f4f3f340b50a9d18d71.exe
                      Source: T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000C.00000002.3392234781.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000E.00000000.1726890164.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000E.00000002.3399654118.000000006BA33000.00000002.00000001.01000000.0000001D.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000002.3407084581.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000001.1826449150.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000002.3322264502.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000001.2105606585.00000000000CA000.00000002.00000001.01000000.00000012.sdmpString found in binary or memory: https://redir.opera.com/uninstallsurvey/
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2240596988.000001C315E8B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2229181999.000001C315EA2000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2220046203.000001C315E8B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2218205829.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2198735771.000001C315E6B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2220046203.000001C315EA2000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2229181999.000001C315E89000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2218205829.000001C315E89000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2197888344.000001C315F71000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://s.ytimg.com
                      Source: JPl4ZLOvy3fY5RSXGk5s9Gl5.exe, 00000008.00000003.2351558121.0000000006751000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0D
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2240596988.000001C315E8B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2229181999.000001C315EA2000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2220046203.000001C315E8B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2218205829.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2198735771.000001C315E6B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2220046203.000001C315EA2000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2229181999.000001C315E89000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2218205829.000001C315E89000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2197888344.000001C315F71000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://securepubads.g.doubleclick.net
                      Source: CasPol.exe, 00000003.00000002.3402975175.00000000034A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://skategirls.org
                      Source: T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000C.00000002.3392234781.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000E.00000000.1726890164.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000002.3407084581.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000001.1826449150.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000002.3322264502.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000001.2105606585.00000000000CA000.00000002.00000001.01000000.00000012.sdmpString found in binary or memory: https://sourcecode.opera.com
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2250598835.000001C31606B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2214896326.000001C316025000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2201459715.000001C315E57000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216252408.000001C316025000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2198566834.000001C316079000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216951657.000001C316056000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219601594.000001C316025000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216252408.000001C316055000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C316001000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216913004.000001C31608C000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216951657.000001C31608B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2198566834.000001C316056000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2196034426.000001C316055000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2224912742.000001C316273000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216252408.000001C31608B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://st6-22.vk.com
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2250598835.000001C31606B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2214896326.000001C316025000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2201459715.000001C315E57000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216252408.000001C316025000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2198566834.000001C316079000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216951657.000001C316056000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219601594.000001C316025000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216252408.000001C316055000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C316001000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216913004.000001C31608C000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216951657.000001C31608B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2198566834.000001C316056000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2196034426.000001C316055000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2224912742.000001C316273000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2218205829.000001C315E69000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216252408.000001C31608B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://st6-22.vk.com/css/al/base.7c74f023.css
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2250598835.000001C31606B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2214896326.000001C316025000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2201459715.000001C315E57000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216252408.000001C316025000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2198566834.000001C316079000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2226129974.000001C316055000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219601594.000001C316055000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219601594.000001C316025000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216252408.000001C316055000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C316001000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216913004.000001C31608C000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216951657.000001C31608B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2196034426.000001C316055000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2224912742.000001C316273000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2218205829.000001C315E69000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216252408.000001C31608B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://st6-22.vk.com/css/al/common.1545e5c6.css
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2250598835.000001C31606B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2214896326.000001C316025000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2201459715.000001C315E57000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216252408.000001C316025000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2198566834.000001C316079000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216951657.000001C316056000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219601594.000001C316025000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216252408.000001C316055000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C316001000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216913004.000001C31608C000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216951657.000001C31608B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2198566834.000001C316056000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2196034426.000001C316055000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2224912742.000001C316273000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2218205829.000001C315E69000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216252408.000001C31608B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://st6-22.vk.com/css/al/fonts_cnt.c7a76efe.css
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2250598835.000001C31606B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2214896326.000001C316025000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2201459715.000001C315E57000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216252408.000001C316025000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2198566834.000001C316079000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216951657.000001C316056000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219601594.000001C316025000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216252408.000001C316055000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C316001000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216913004.000001C31608C000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216951657.000001C31608B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2198566834.000001C316056000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2196034426.000001C316055000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2224912742.000001C316273000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2218205829.000001C315E69000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216252408.000001C31608B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://st6-22.vk.com/css/al/fonts_utf.7fa94ada.css
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2195830948.000001C316201000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C316001000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2196034426.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216913004.000001C31608C000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2224912742.000001C316273000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216252408.000001C31608B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://st6-22.vk.com/css/al/ui_common.eebaf9c8.css
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2195830948.000001C316201000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C316001000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2196034426.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216913004.000001C31608C000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2224912742.000001C316273000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216252408.000001C31608B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://st6-22.vk.com/css/al/uncommon.6d51982c.css
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2195830948.000001C316201000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C316001000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2196034426.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216913004.000001C31608C000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2224912742.000001C316273000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216252408.000001C31608B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://st6-22.vk.com/css/al/vk_sans_display.5625d45f.css
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2195830948.000001C316201000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C316001000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2196034426.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216913004.000001C31608C000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2224912742.000001C316273000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216252408.000001C31608B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://st6-22.vk.com/css/al/vk_sans_display_faux.7d208ecb.css
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2250598835.000001C31606B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2214896326.000001C316025000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2201459715.000001C315E57000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216252408.000001C316025000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2198566834.000001C316079000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216951657.000001C316056000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219601594.000001C316025000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216252408.000001C316055000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C316001000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216913004.000001C31608C000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216951657.000001C31608B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2198566834.000001C316056000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2196034426.000001C316055000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2224912742.000001C316273000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2218205829.000001C315E69000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216252408.000001C31608B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://st6-22.vk.com/css/al/vkui.43318ab6.css
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2195830948.000001C316201000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C316001000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2196034426.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216913004.000001C31608C000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2198566834.000001C316056000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2196034426.000001C316055000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2224912742.000001C316273000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216252408.000001C31608B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://st6-22.vk.com/css/fonts/VKSansDisplayDemiBoldFaux.v100.woff2
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2195830948.000001C316201000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C316001000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2196034426.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216913004.000001C31608C000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2224912742.000001C316273000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216252408.000001C31608B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://st6-22.vk.com/dist/web/chunks/audioplayer-lib.89b663a3.js
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2195830948.000001C316201000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C316001000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2196034426.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216913004.000001C31608C000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2224912742.000001C316273000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216252408.000001C31608B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://st6-22.vk.com/dist/web/chunks/audioplayer-lib.93b52d88.css
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2195830948.000001C316201000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C316001000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2196034426.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216913004.000001C31608C000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2224912742.000001C316273000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216252408.000001C31608B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://st6-22.vk.com/dist/web/chunks/common.468f0071.js
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2195830948.000001C316201000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C316001000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2196034426.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216913004.000001C31608C000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2224912742.000001C316273000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216252408.000001C31608B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://st6-22.vk.com/dist/web/chunks/palette.361d379a.css
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2195830948.000001C316201000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C316001000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2196034426.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216913004.000001C31608C000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2224912742.000001C316273000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216252408.000001C31608B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://st6-22.vk.com/dist/web/chunks/palette.434ea2ce.js
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2195830948.000001C316201000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C316001000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2196034426.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216913004.000001C31608C000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2224912742.000001C316273000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216252408.000001C31608B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://st6-22.vk.com/dist/web/chunks/react.759f82b6.js
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2195830948.000001C316201000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C316001000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2196034426.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216913004.000001C31608C000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2224912742.000001C316273000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216252408.000001C31608B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://st6-22.vk.com/dist/web/chunks/state-management.c22f9f68.js
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2195830948.000001C316201000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C316001000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2196034426.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216913004.000001C31608C000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2224912742.000001C316273000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216252408.000001C31608B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://st6-22.vk.com/dist/web/chunks/vkcom-kit-icons.826b9222.js
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2195830948.000001C316201000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C316001000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2196034426.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216913004.000001C31608C000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2224912742.000001C316273000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216252408.000001C31608B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://st6-22.vk.com/dist/web/chunks/vkcom-kit.5f623236.css
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2195830948.000001C316201000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C316001000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2196034426.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216913004.000001C31608C000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2224912742.000001C316273000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216252408.000001C31608B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://st6-22.vk.com/dist/web/chunks/vkcom-kit.d0208b10.js
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2195830948.000001C316201000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C316001000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2196034426.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216913004.000001C31608C000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2224912742.000001C316273000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216252408.000001C31608B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://st6-22.vk.com/dist/web/chunks/vkui.bce4c996.js
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2195830948.000001C316201000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C316001000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2196034426.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216913004.000001C31608C000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2224912742.000001C316273000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216252408.000001C31608B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://st6-22.vk.com/dist/web/common_web.4f7e5a9b.css
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2195830948.000001C316201000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C316001000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2196034426.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216913004.000001C31608C000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2224912742.000001C316273000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216252408.000001C31608B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://st6-22.vk.com/dist/web/common_web.8c23e2d5.js
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2195830948.000001C316201000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C316001000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2196034426.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216913004.000001C31608C000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2224912742.000001C316273000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216252408.000001C31608B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://st6-22.vk.com/dist/web/css_types.1bff1a5b.js
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2195830948.000001C316201000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C316001000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2196034426.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216913004.000001C31608C000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2224912742.000001C316273000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216252408.000001C31608B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://st6-22.vk.com/dist/web/docs.20074c02.css
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2195830948.000001C316201000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C316001000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2196034426.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216913004.000001C31608C000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2224912742.000001C316273000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216252408.000001C31608B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://st6-22.vk.com/dist/web/docs.6e23ec02.js
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2195830948.000001C316201000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C316001000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2196034426.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216913004.000001C31608C000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2224912742.000001C316273000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216252408.000001C31608B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://st6-22.vk.com/dist/web/error_monitoring_classic.isolated.99143b54.js
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2195830948.000001C316201000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C316001000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2196034426.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216913004.000001C31608C000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2224912742.000001C316273000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216252408.000001C31608B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://st6-22.vk.com/dist/web/grip.0b3b493f.js
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2195830948.000001C316201000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C316001000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2196034426.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216913004.000001C31608C000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2224912742.000001C316273000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216252408.000001C31608B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://st6-22.vk.com/dist/web/jobs_devtools_notification.14f96f02.js
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2195830948.000001C316201000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C316001000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2196034426.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216913004.000001C31608C000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2224912742.000001C316273000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216252408.000001C31608B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://st6-22.vk.com/dist/web/likes.20074c02.css
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2195830948.000001C316201000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C316001000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2196034426.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216913004.000001C31608C000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2224912742.000001C316273000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216252408.000001C31608B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://st6-22.vk.com/dist/web/likes.72a3dfff.js
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2195830948.000001C316201000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C316001000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2196034426.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216913004.000001C31608C000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2224912742.000001C316273000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216252408.000001C31608B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://st6-22.vk.com/dist/web/page_layout.7b5800c2.js
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2195830948.000001C316201000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C316001000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2196034426.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216913004.000001C31608C000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2224912742.000001C316273000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216252408.000001C31608B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://st6-22.vk.com/dist/web/performance_observers.4d12f60f.js
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2195830948.000001C316201000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C316001000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2196034426.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216913004.000001C31608C000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2224912742.000001C316273000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216252408.000001C31608B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://st6-22.vk.com/dist/web/polyfills.isolated.edaffb7b.js
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2195830948.000001C316201000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C316001000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2196034426.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216913004.000001C31608C000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2224912742.000001C316273000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216252408.000001C31608B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://st6-22.vk.com/dist/web/raven_logger.ea0a2239.js
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2195830948.000001C316201000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C316001000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2196034426.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216913004.000001C31608C000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2224912742.000001C316273000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216252408.000001C31608B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://st6-22.vk.com/dist/web/site_layout.20074c02.css
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2195830948.000001C316201000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C316001000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2196034426.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216913004.000001C31608C000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2224912742.000001C316273000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216252408.000001C31608B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://st6-22.vk.com/dist/web/site_layout.f88780c8.js
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2195830948.000001C316201000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C316001000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2196034426.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216913004.000001C31608C000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2224912742.000001C316273000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216252408.000001C31608B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://st6-22.vk.com/dist/web/ui_common.20074c02.css
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2195830948.000001C316201000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C316001000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2196034426.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216913004.000001C31608C000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2224912742.000001C316273000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216252408.000001C31608B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://st6-22.vk.com/dist/web/ui_common.48463b06.js
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2195830948.000001C316201000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C316001000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2196034426.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216913004.000001C31608C000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2224912742.000001C316273000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216252408.000001C31608B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://st6-22.vk.com/dist/web/unauthorized.20074c02.css
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2195830948.000001C316201000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C316001000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2196034426.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216913004.000001C31608C000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2224912742.000001C316273000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216252408.000001C31608B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://st6-22.vk.com/dist/web/unauthorized.4bbc412d.js
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2195830948.000001C316201000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C316001000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2196034426.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216913004.000001C31608C000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2224912742.000001C316273000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216252408.000001C31608B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://st6-22.vk.com/dist/web/vk_sans_observer.fb28db65.js
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2152191829.000001C315F49000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2164068721.000001C315F4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://starsmm.org/
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2181344004.000001C315E69000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2181878238.000001C315E6A000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2181878238.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2181344004.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2152191829.000001C315F49000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2174393508.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2179788596.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2182784722.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2179158263.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2164068721.000001C315F4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://starsmm.org/Extension__Installer.exe
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2181344004.000001C315E69000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2181878238.000001C315E6A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://starsmm.org/Extension__Installer.exe(
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2174393508.000001C315EC9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://starsmm.org/Extension__Installer.exej?
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2174393508.000001C315EC9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://starsmm.org/Extension__Installer.exetop/n?
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2229181999.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2218205829.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2123609804.000001C315EC3000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2181878238.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2181344004.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2240596988.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2215403785.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2198735771.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2174393508.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2179788596.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2182784722.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2179158263.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2220046203.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2184570072.000001C315EC9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://starsmm.org/N?
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2229181999.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2218205829.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2123609804.000001C315EC3000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2181878238.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2181344004.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2240596988.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2215403785.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2198735771.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2174393508.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2179788596.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2182784722.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2179158263.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2220046203.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2184570072.000001C315EC9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://starsmm.org/f?
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2152191829.000001C315F49000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://starsmm.org/nts
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2164068721.000001C315F4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://starsmm.org/om/525403/setup.exer-end-point:R
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2123609804.000001C315EC3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://starsmm.org:80/
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2123609804.000001C315EC3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://starsmm.org:80/Extension__Installer.exe
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2197888344.000001C315F71000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://static.vk.me
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2250598835.000001C31606B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2214896326.000001C316025000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2201459715.000001C315E57000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216252408.000001C316025000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2198566834.000001C316079000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216951657.000001C316056000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219601594.000001C316025000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216252408.000001C316055000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C316001000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216913004.000001C31608C000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216951657.000001C31608B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2198566834.000001C316056000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2196034426.000001C316055000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2224912742.000001C316273000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216252408.000001C31608B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://stats.vk-portal.net
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2198735771.000001C315E8A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sun6-21.userapi.com/c236331/u5294803/docs/d24/3cad94b79c70/imgdrive_2_1.bmp?extra=KSt_51f-h8
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2201459715.000001C315E52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sun6-21.userapi.com/c237231/u5294803/docs/d31/2c3cba4b3eec/crypted.bmp?extra=fe0yzYV1eeDufHZ
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2255016281.000001C315F78000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2229181999.000001C315E9B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2240596988.000001C315E8B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2239264411.000001C315F70000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2215403785.000001C315E89000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2220046203.000001C315E8B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2229181999.000001C315E89000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2218205829.000001C315E89000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2250448749.000001C315F71000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sun6-21.userapi.com/c909328/u5294803/docs/d12/eb1afcc538fd/PL_Clients.bmp?extra=iwYpYeMLSGBx
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2250448749.000001C315F71000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sun6-21.userapi.com/c909328/u5294803/docs/d54/8868a626addc/files.bmp?extra=4Jh-lFC-FBDEqT-xO
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2218205829.000001C315E69000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2250448749.000001C315F71000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sun6-22.userapi.com/c237231/u5294803/docs/d32/903bb9f1994d/crypted.bmp?extra=tvJKau_p37EHNlc
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2240596988.000001C315E8B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2229181999.000001C315EA2000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2220046203.000001C315E8B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2218205829.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2198735771.000001C315E6B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2220046203.000001C315EA2000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2229181999.000001C315E89000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2218205829.000001C315E89000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2197888344.000001C315F71000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tagmanager.google.com
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2240596988.000001C315E8B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2229181999.000001C315EA2000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2220046203.000001C315E8B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2218205829.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2198735771.000001C315E6B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2220046203.000001C315EA2000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2229181999.000001C315E89000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2218205829.000001C315E89000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2197888344.000001C315F71000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://telegram.org
                      Source: T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000C.00000002.3392234781.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000E.00000000.1726890164.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000002.3407084581.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000001.1826449150.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000002.3322264502.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000001.2105606585.00000000000CA000.00000002.00000001.01000000.00000012.sdmpString found in binary or memory: https://telegram.org/tos/
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2240596988.000001C315E8B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2229181999.000001C315EA2000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2220046203.000001C315E8B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2218205829.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2198735771.000001C315E6B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2220046203.000001C315EA2000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2229181999.000001C315E89000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2218205829.000001C315E89000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2197888344.000001C315F71000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ton.twimg.com
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2240596988.000001C315E8B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2229181999.000001C315EA2000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2220046203.000001C315E8B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2218205829.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2198735771.000001C315E6B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2220046203.000001C315EA2000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2229181999.000001C315E89000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2218205829.000001C315E89000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2197888344.000001C315F71000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://translate.googleapis.com
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2229181999.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2218205829.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2123609804.000001C315EC3000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2181878238.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2181344004.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2240596988.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2215403785.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2198735771.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2174393508.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2179788596.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2182784722.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2179158263.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2220046203.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2184570072.000001C315EC9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://triedchicken.net/
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2229181999.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2218205829.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2123609804.000001C315EC3000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2181878238.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2181344004.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2240596988.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2215403785.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2198735771.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2174393508.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2179788596.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2182784722.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2179158263.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2220046203.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2184570072.000001C315EC9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://triedchicken.net/B
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2137349849.000001C316201000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://triedchicken.net/cad54ba5b01423b1af8ec10ab5719d97.exe
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2181344004.000001C315E69000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2181878238.000001C315E6A000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2215403785.000001C315E69000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2123609804.000001C315E6D000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2220046203.000001C315E69000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2182784722.000001C315E6C000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2184570072.000001C315E6B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2179788596.000001C315E6A000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2174393508.000001C315E69000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2198735771.000001C315E6B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2240596988.000001C315E6B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2241367516.000001C315E6D000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2218205829.000001C315E69000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2179158263.000001C315E69000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2229181999.000001C315E6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://triedchicken.net:80/cad54ba5b01423b1af8ec10ab5719d97.exe
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2181344004.000001C315E69000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2181878238.000001C315E6A000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2215403785.000001C315E69000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2123609804.000001C315E6D000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2220046203.000001C315E69000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2182784722.000001C315E6C000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2184570072.000001C315E6B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2179788596.000001C315E6A000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2174393508.000001C315E69000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2198735771.000001C315E6B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2240596988.000001C315E6B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2241367516.000001C315E6D000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2218205829.000001C315E69000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2179158263.000001C315E69000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2229181999.000001C315E6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://triedchicken.net:80/cad54ba5b01423b1af8ec10ab5719d97.exe:
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2181344004.000001C315E69000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2181878238.000001C315E6A000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2215403785.000001C315E69000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2123609804.000001C315E6D000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2220046203.000001C315E69000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2182784722.000001C315E6C000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2184570072.000001C315E6B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2179788596.000001C315E6A000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2174393508.000001C315E69000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2198735771.000001C315E6B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2240596988.000001C315E6B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2241367516.000001C315E6D000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2218205829.000001C315E69000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2179158263.000001C315E69000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2229181999.000001C315E6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://triedchicken.net:80/cad54ba5b01423b1af8ec10ab5719d97.exej
                      Source: JIsbjewlnghreiCB15kllzTk.exe, JIsbjewlnghreiCB15kllzTk.exe, 0000000A.00000002.3312022979.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Yz2gr4IqEnTCH1g642bo4hrO.exe, Yz2gr4IqEnTCH1g642bo4hrO.exe, 00000011.00000002.3312662666.0000000000400000.00000040.00000001.01000000.0000000F.sdmpString found in binary or memory: https://turnitin.com/robot/crawlerinfo.html)cannot
                      Source: T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000C.00000002.3392234781.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000E.00000000.1726890164.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000002.3407084581.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000001.1826449150.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000002.3322264502.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000001.2105606585.00000000000CA000.00000002.00000001.01000000.00000012.sdmpString found in binary or memory: https://twitter.com/en/tos;
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2197888344.000001C315F71000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vk.com
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2174393508.000001C315E69000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2229181999.000001C315E6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vk.com/
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2174393508.000001C315E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vk.com/0u0uDuw
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2181344004.000001C315E69000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2181878238.000001C315E6A000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2179788596.000001C315E6A000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2179158263.000001C315E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vk.com/Nuq
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2229181999.000001C315EA2000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2241367516.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2215403785.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2218205829.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2220046203.000001C315EA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vk.com/browser_reports?de
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2198735771.000001C315E8A000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2197888344.000001C315F71000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vk.com/browser_reports?dest=default_reports
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2179717574.000001C315E4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vk.com/doc329118071_676580549?hash=pFVdCz3lOS502jpZ4S1mZuaA9EuN2MatBz9F2cxg7Ac&dl=ej7ecTKnt3
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2179717574.000001C315E4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vk.com/doc5294803_668512951?hash=uac9wbeb45bZZ2A4Vgx1xpUTavuZvoy56VWHrfJX9iH&dl=BnUuPvvpE2Gl
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2201459715.000001C315E4A000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2179717574.000001C315E4A000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2229181999.000001C315E89000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vk.com/doc5294803_668652542?hash=KlAQZ4zXtzzV5eLSZ1KaXKdCOpfsWxOfH5GyV92XrPL&dl=yPhjzrub8w5M
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2179717574.000001C315E4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vk.com/doc5294803_668661395?hash=uQQoAVY7lWMuchlYkCFbK0P2SVazuAiimzHIh07ASrs&dl=WO5eZhu0JdqJ
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2179717574.000001C315E4A000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2218205829.000001C315E89000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vk.com/doc5294803_668706588?hash=Cas6KM0FtrzNQfYftz7JyxKZDtxiBfna0d31zWD3F1L&dl=EtRQUHZNtDlx
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2123609804.000001C315EC3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vk.com:80/doc5294803_668661395?hash=uQQoAVY7lWMuchlYkCFbK0P2SVazuAiimzHIh07ASrs&dl=WO5eZhu0J
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2197888344.000001C315F71000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vk.ru
                      Source: JPl4ZLOvy3fY5RSXGk5s9Gl5.exe, 00000008.00000003.2351558121.0000000006751000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.digicert.com/CPS0
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2240596988.000001C315E8B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2229181999.000001C315EA2000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2220046203.000001C315E8B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2218205829.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2198735771.000001C315E6B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2220046203.000001C315EA2000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2229181999.000001C315E89000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2218205829.000001C315E89000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2197888344.000001C315F71000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2240596988.000001C315E8B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2229181999.000001C315EA2000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2220046203.000001C315E8B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2218205829.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2198735771.000001C315E6B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2220046203.000001C315EA2000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2229181999.000001C315E89000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2218205829.000001C315E89000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2197888344.000001C315F71000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.instagram.com
                      Source: T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000C.00000002.3392234781.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000E.00000000.1726890164.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000E.00000002.3399654118.000000006BA33000.00000002.00000001.01000000.0000001D.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000002.3407084581.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000001.1826449150.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000002.3322264502.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000001.2105606585.00000000000CA000.00000002.00000001.01000000.00000012.sdmpString found in binary or memory: https://www.opera.com
                      Source: T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000C.00000002.3392234781.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000E.00000000.1726890164.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000E.00000002.3399654118.000000006BA33000.00000002.00000001.01000000.0000001D.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000002.3407084581.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000001.1826449150.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000002.3322264502.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000001.2105606585.00000000000CA000.00000002.00000001.01000000.00000012.sdmpString found in binary or memory: https://www.opera.com..
                      Source: T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000C.00000002.3392234781.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000E.00000000.1726890164.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000E.00000002.3399654118.000000006BA33000.00000002.00000001.01000000.0000001D.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000002.3407084581.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000001.1826449150.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000002.3322264502.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000001.2105606585.00000000000CA000.00000002.00000001.01000000.00000012.sdmpString found in binary or memory: https://www.opera.com/
                      Source: T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000C.00000002.3392234781.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000E.00000000.1726890164.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000E.00000002.3399654118.000000006BA33000.00000002.00000001.01000000.0000001D.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000002.3407084581.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000001.1826449150.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000002.3322264502.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000001.2105606585.00000000000CA000.00000002.00000001.01000000.00000012.sdmpString found in binary or memory: https://www.opera.com/download/
                      Source: syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000001.2105606585.00000000000CA000.00000002.00000001.01000000.00000012.sdmpString found in binary or memory: https://www.opera.com/privacy
                      Source: T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000C.00000002.3392234781.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000E.00000000.1726890164.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000002.3407084581.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000001.1826449150.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000002.3322264502.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000001.2105606585.00000000000CA000.00000002.00000001.01000000.00000012.sdmpString found in binary or memory: https://www.whatsapp.com/legal;
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2240596988.000001C315E8B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2229181999.000001C315EA2000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2220046203.000001C315E8B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2218205829.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2198735771.000001C315E6B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2220046203.000001C315EA2000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2229181999.000001C315E89000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2218205829.000001C315E89000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2197888344.000001C315F71000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://yastatic.net
                      Source: CasPol.exe, 00000003.00000002.3402975175.00000000034A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://yip.su/RNWPd.exe
                      Source: CasPol.exe, 00000003.00000002.3402975175.00000000034DC000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000002.3402975175.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://yip.su/redirect-

                      E-Banking Fraud

                      barindex
                      Yara detected Glupteba
                      Source: Yara matchFile source: 24.2.Vh2fqCjm9jPtwuJrcfbbwxLj.exe.400000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.Yz2gr4IqEnTCH1g642bo4hrO.exe.400000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.JIsbjewlnghreiCB15kllzTk.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000011.00000002.3312662666.0000000000843000.00000040.00000001.01000000.0000000F.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.3312022979.0000000000843000.00000040.00000001.01000000.00000008.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000002.3312827601.0000000000843000.00000040.00000001.01000000.00000015.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: JIsbjewlnghreiCB15kllzTk.exe PID: 7992, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Yz2gr4IqEnTCH1g642bo4hrO.exe PID: 7016, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Vh2fqCjm9jPtwuJrcfbbwxLj.exe PID: 7660, type: MEMORYSTR

                      System Summary

                      barindex
                      Malicious sample detected (through community Yara rule)
                      Source: 00000008.00000002.3336518839.0000000002F1E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                      Source: 0000000F.00000002.3368165895.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                      Source: 00000017.00000002.3372271879.0000000002E60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                      Source: 0000000F.00000002.3375966593.0000000002FAE000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                      Source: 00000010.00000002.3380053915.0000000004D40000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                      Source: 00000008.00000002.3337248481.00000000049A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                      Source: 00000017.00000002.3387263069.0000000002F7E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                      Source: C:\Users\user\Documents\SimpleAdobe\iTHBJLcts9pEuoqVNgU3srbu.exe, type: DROPPEDMatched rule: Detects zgRAT Author: ditekSHen
                      PE file contains section with special chars
                      Source: GNcg3yiDrmzw07ZdoxfNbs1v.exe.3.drStatic PE information: section name: .vmp#V
                      Source: GNcg3yiDrmzw07ZdoxfNbs1v.exe.3.drStatic PE information: section name: .vmp#V
                      Source: GNcg3yiDrmzw07ZdoxfNbs1v.exe.3.drStatic PE information: section name: .vmp#V
                      Source: MphEWivXVroFMrkzyLgmuj2t.exe.3.drStatic PE information: section name: .vmp#V
                      Source: MphEWivXVroFMrkzyLgmuj2t.exe.3.drStatic PE information: section name: .vmp#V
                      Source: MphEWivXVroFMrkzyLgmuj2t.exe.3.drStatic PE information: section name: .vmp#V
                      Source: N9QaRzQ0AfOLtw4JsIq3BGlx.exe.3.drStatic PE information: section name: .vmp#V
                      Source: N9QaRzQ0AfOLtw4JsIq3BGlx.exe.3.drStatic PE information: section name: .vmp#V
                      Source: N9QaRzQ0AfOLtw4JsIq3BGlx.exe.3.drStatic PE information: section name: .vmp#V
                      Source: dhes16NzxQrsGp1NLOpKhYEG.exe.3.drStatic PE information: section name: .vmp#V
                      Source: dhes16NzxQrsGp1NLOpKhYEG.exe.3.drStatic PE information: section name: .vmp#V
                      Source: dhes16NzxQrsGp1NLOpKhYEG.exe.3.drStatic PE information: section name: .vmp#V
                      Source: si8fAgQZyD6Cx4plDNMQadak.exe.3.drStatic PE information: section name: .vmp#V
                      Source: si8fAgQZyD6Cx4plDNMQadak.exe.3.drStatic PE information: section name: .vmp#V
                      Source: si8fAgQZyD6Cx4plDNMQadak.exe.3.drStatic PE information: section name: .vmp#V
                      Source: xWO4HdGMj74aDnNwcibeJHOS.exe.3.drStatic PE information: section name: .vmp#V
                      Source: xWO4HdGMj74aDnNwcibeJHOS.exe.3.drStatic PE information: section name: .vmp#V
                      Source: xWO4HdGMj74aDnNwcibeJHOS.exe.3.drStatic PE information: section name: .vmp#V
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe.3.drStatic PE information: section name: .vmp#V
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe.3.drStatic PE information: section name: .vmp#V
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe.3.drStatic PE information: section name: .vmp#V
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeFile created: C:\Windows\System32\GroupPolicy\gpt.ini
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeFile created: C:\Windows\System32\GroupPolicy\Machine
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeFile created: C:\Windows\System32\GroupPolicy\User
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeFile created: C:\Windows\System32\GroupPolicy\Machine\Registry.pol
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeCode function: 0_2_00007FFD9B889B780_2_00007FFD9B889B78
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeCode function: 0_2_00007FFD9B889B700_2_00007FFD9B889B70
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeCode function: 0_2_00007FFD9B88586D0_2_00007FFD9B88586D
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeCode function: 0_2_00007FFD9B8856600_2_00007FFD9B885660
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeCode function: 0_2_00007FFD9B88CDE90_2_00007FFD9B88CDE9
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeCode function: 0_2_00007FFD9B895E1C0_2_00007FFD9B895E1C
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeCode function: 0_2_00007FFD9B88AF5D0_2_00007FFD9B88AF5D
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeCode function: 0_2_00007FFD9B895E690_2_00007FFD9B895E69
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeCode function: 0_2_00007FFD9B8915950_2_00007FFD9B891595
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCode function: 8_2_0040BA808_2_0040BA80
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCode function: 8_2_0040C2AC8_2_0040C2AC
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCode function: 8_2_004123A08_2_004123A0
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCode function: 8_2_0040F4418_2_0040F441
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCode function: 8_2_0042140C8_2_0042140C
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCode function: 8_2_0040BD2A8_2_0040BD2A
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCode function: 8_2_0041BE398_2_0041BE39
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCode function: 8_2_0040C6A08_2_0040C6A0
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCode function: 8_2_004087618_2_00408761
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCode function: 8_2_0040B70E8_2_0040B70E
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCode function: 8_2_0041B7228_2_0041B722
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCode function: 8_2_0040BFF18_2_0040BFF1
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCode function: 8_2_049ABCE78_2_049ABCE7
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCode function: 8_2_049AC5138_2_049AC513
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCode function: 8_2_049AF6A88_2_049AF6A8
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCode function: 8_2_049B26078_2_049B2607
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCode function: 8_2_049ABF918_2_049ABF91
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCode function: 8_2_049BB9898_2_049BB989
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCode function: 8_2_049A89C88_2_049A89C8
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCode function: 8_2_049AC9078_2_049AC907
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCode function: 8_2_049AB9758_2_049AB975
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCode function: 8_2_049AC2588_2_049AC258
                      Source: C:\Users\user\Pictures\T2RIU3FpH6dczIGTG32vuvvE.exeCode function: 14_2_6B92E70014_2_6B92E700
                      Source: C:\Users\user\Pictures\T2RIU3FpH6dczIGTG32vuvvE.exeCode function: 14_2_6B9A97AC14_2_6B9A97AC
                      Source: C:\Users\user\Pictures\T2RIU3FpH6dczIGTG32vuvvE.exeCode function: 14_2_6B87F9D014_2_6B87F9D0
                      Source: C:\Users\user\Pictures\T2RIU3FpH6dczIGTG32vuvvE.exeCode function: 14_2_6B98A16014_2_6B98A160
                      Source: C:\Users\user\Pictures\T2RIU3FpH6dczIGTG32vuvvE.exeCode function: 14_2_6B9AD96014_2_6B9AD960
                      Source: C:\Users\user\Pictures\T2RIU3FpH6dczIGTG32vuvvE.exeCode function: 14_2_6B9D0CBA14_2_6B9D0CBA
                      Source: C:\Users\user\Pictures\T2RIU3FpH6dczIGTG32vuvvE.exeCode function: 14_2_6B96E0D014_2_6B96E0D0
                      Source: C:\Users\user\Pictures\T2RIU3FpH6dczIGTG32vuvvE.exeCode function: 14_2_6B9CE8F914_2_6B9CE8F9
                      Source: C:\Users\user\Pictures\T2RIU3FpH6dczIGTG32vuvvE.exeCode function: 14_2_6B9AA43D14_2_6B9AA43D
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCode function: 15_2_0040BA8015_2_0040BA80
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCode function: 15_2_0040C2AC15_2_0040C2AC
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCode function: 15_2_004123A015_2_004123A0
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCode function: 15_2_0040F44115_2_0040F441
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCode function: 15_2_0042140C15_2_0042140C
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCode function: 15_2_0040BD2A15_2_0040BD2A
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCode function: 15_2_0041BE3915_2_0041BE39
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCode function: 15_2_0040C6A015_2_0040C6A0
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCode function: 15_2_0040876115_2_00408761
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCode function: 15_2_0040B70E15_2_0040B70E
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCode function: 15_2_0041B72215_2_0041B722
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCode function: 15_2_0040BFF115_2_0040BFF1
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCode function: 15_2_02EDC25815_2_02EDC258
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCode function: 15_2_02ED89C815_2_02ED89C8
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCode function: 15_2_02EEB98915_2_02EEB989
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCode function: 15_2_02EDB97515_2_02EDB975
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCode function: 15_2_02EDC90715_2_02EDC907
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCode function: 15_2_02EDF6A815_2_02EDF6A8
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCode function: 15_2_02EE260715_2_02EE2607
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCode function: 15_2_02EDBF9115_2_02EDBF91
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCode function: 15_2_02EDBCE715_2_02EDBCE7
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCode function: 15_2_02EDC51315_2_02EDC513
                      Source: C:\Users\user\Pictures\wjaGPzkDQjpdcbjBR9AwSFKW.exeCode function: 22_2_004162A622_2_004162A6
                      Source: C:\Users\user\Pictures\wjaGPzkDQjpdcbjBR9AwSFKW.exeCode function: 22_2_0040E5A522_2_0040E5A5
                      Source: C:\Users\user\Pictures\wjaGPzkDQjpdcbjBR9AwSFKW.exeCode function: 22_2_004126B022_2_004126B0
                      Source: C:\Users\user\Pictures\wjaGPzkDQjpdcbjBR9AwSFKW.exeCode function: 22_2_00403A0122_2_00403A01
                      Source: C:\Users\user\Pictures\wjaGPzkDQjpdcbjBR9AwSFKW.exeCode function: 22_2_00418EF122_2_00418EF1
                      Source: C:\Users\user\Pictures\wjaGPzkDQjpdcbjBR9AwSFKW.exeCode function: 22_2_00418FCB22_2_00418FCB
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCode function: String function: 00409CC0 appears 48 times
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCode function: String function: 049A9F27 appears 48 times
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCode function: String function: 00427488 appears 43 times
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCode function: String function: 049C76EF appears 43 times
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCode function: String function: 02ED9F27 appears 48 times
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCode function: String function: 02EF76EF appears 43 times
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCode function: String function: 00409CC0 appears 48 times
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCode function: String function: 00427488 appears 43 times
                      Source: C:\Users\user\Pictures\wjaGPzkDQjpdcbjBR9AwSFKW.exeCode function: String function: 00403A9C appears 33 times
                      Source: C:\Users\user\Pictures\wjaGPzkDQjpdcbjBR9AwSFKW.exeCode function: String function: 00413954 appears 177 times
                      Source: C:\Users\user\Pictures\T2RIU3FpH6dczIGTG32vuvvE.exeCode function: String function: 6B9D98A0 appears 53 times
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 208 -p 7412 -ip 7412
                      Source: SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeStatic PE information: invalid certificate
                      Source: i3cGHUfhs02OIuQ54eKiruit.exe.3.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (console) Intel 80386, for MS Windows
                      Source: LLoAVhqqC3TlPmj3xeFbhIJr.exe.3.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (console) Intel 80386, for MS Windows
                      Source: x6grxPSTyIeA8EPDMgptrwYO.exe.3.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (console) Intel 80386, for MS Windows
                      Source: T2RIU3FpH6dczIGTG32vuvvE.exe.3.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (console) Intel 80386, for MS Windows
                      Source: N9QaRzQ0AfOLtw4JsIq3BGlx.exe.3.drStatic PE information: Number of sections : 12 > 10
                      Source: xWO4HdGMj74aDnNwcibeJHOS.exe.3.drStatic PE information: Number of sections : 12 > 10
                      Source: GNcg3yiDrmzw07ZdoxfNbs1v.exe.3.drStatic PE information: Number of sections : 12 > 10
                      Source: dhes16NzxQrsGp1NLOpKhYEG.exe.3.drStatic PE information: Number of sections : 12 > 10
                      Source: si8fAgQZyD6Cx4plDNMQadak.exe.3.drStatic PE information: Number of sections : 12 > 10
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe.3.drStatic PE information: Number of sections : 12 > 10
                      Source: MphEWivXVroFMrkzyLgmuj2t.exe.3.drStatic PE information: Number of sections : 12 > 10
                      Source: SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeStatic PE information: No import functions for PE file found
                      Source: SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exe, 00000000.00000002.2720344847.000001E7C7EA7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUlacufekomiqewoF vs SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exe
                      Source: SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exe, 00000000.00000002.2411331877.000001E7B7D38000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNew.exe" vs SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exe
                      Source: SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exe, 00000000.00000000.1628758907.000001E7B5D74000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameUbazafeH vs SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exe
                      Source: SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exe, 00000000.00000002.2411204434.000001E7B7AE0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameUlacufekomiqewoF vs SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exe
                      Source: 00000008.00000002.3336518839.0000000002F1E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                      Source: 0000000F.00000002.3368165895.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                      Source: 00000017.00000002.3372271879.0000000002E60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                      Source: 0000000F.00000002.3375966593.0000000002FAE000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                      Source: 00000010.00000002.3380053915.0000000004D40000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                      Source: 00000008.00000002.3337248481.00000000049A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                      Source: 00000017.00000002.3387263069.0000000002F7E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                      Source: C:\Users\user\Documents\SimpleAdobe\iTHBJLcts9pEuoqVNgU3srbu.exe, type: DROPPEDMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                      Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winEXE@132/280@0/41
                      Source: C:\Users\user\Pictures\T2RIU3FpH6dczIGTG32vuvvE.exeCode function: 14_2_6B889C20 FormatMessageW,GetLastError,LocalFree,14_2_6B889C20
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCode function: 8_2_02F1F78E CreateToolhelp32Snapshot,Module32First,8_2_02F1F78E
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Local\lxJL7FOaOc6Tkk0XNttI4ctE.exeJump to behavior
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7708:120:WilError_03
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeMutant created: NULL
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7492:120:WilError_03
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeMutant created: \Sessions\1\BaseNamedObjects\JarakHalgWW_15
                      Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7412
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pfx1wdjg.dd1.ps1Jump to behavior
                      Source: Yara matchFile source: 00000008.00000003.2351558121.000000000634A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\u224.1.exe, type: DROPPED
                      Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\u63s.1.exe, type: DROPPED
                      Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5me5kJjaX6nSu3LrmZClhT87.bat" "
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCommand line argument: one8_2_00424A0E
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCommand line argument: one8_2_00424A0E
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCommand line argument: two8_2_00424A0E
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCommand line argument: two8_2_00424A0E
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCommand line argument: three8_2_00424A0E
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCommand line argument: three8_2_00424A0E
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCommand line argument: four8_2_00424A0E
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCommand line argument: four8_2_00424A0E
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCommand line argument: five8_2_00424A0E
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCommand line argument: five8_2_00424A0E
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCommand line argument: six8_2_00424A0E
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCommand line argument: six8_2_00424A0E
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCommand line argument: seven8_2_00424A0E
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCommand line argument: seven8_2_00424A0E
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCommand line argument: eight8_2_00424A0E
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCommand line argument: eight8_2_00424A0E
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCommand line argument: nine8_2_00424A0E
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCommand line argument: nine8_2_00424A0E
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCommand line argument: ten8_2_00424A0E
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCommand line argument: ten8_2_00424A0E
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCommand line argument: one8_2_00424A0E
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCommand line argument: two8_2_00424A0E
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCommand line argument: three8_2_00424A0E
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCommand line argument: four8_2_00424A0E
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCommand line argument: five8_2_00424A0E
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCommand line argument: six8_2_00424A0E
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCommand line argument: seven8_2_00424A0E
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCommand line argument: eight8_2_00424A0E
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCommand line argument: nine8_2_00424A0E
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCommand line argument: ten8_2_00424A0E
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCommand line argument: 185.172.128.908_2_00424A0E
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCommand line argument: 185.172.128.908_2_00424A0E
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCommand line argument: 185.172.128.908_2_00424A0E
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCommand line argument: Installed8_2_00424A0E
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCommand line argument: Installed8_2_00424A0E
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCommand line argument: 185.172.128.2288_2_00424A0E
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCommand line argument: 185.172.128.2288_2_00424A0E
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCommand line argument: 185.172.128.2288_2_00424A0E
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCommand line argument: 185.172.128.598_2_00424A0E
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCommand line argument: 185.172.128.598_2_00424A0E
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCommand line argument: /syncUpd.exe8_2_00424A0E
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCommand line argument: /syncUpd.exe8_2_00424A0E
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCommand line argument: 185.172.128.598_2_00424A0E
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCommand line argument: /syncUpd.exe8_2_00424A0E
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCommand line argument: 185.172.128.2288_2_00424A0E
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCommand line argument: 185.172.128.2288_2_00424A0E
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCommand line argument: /BroomSetup.exe8_2_00424A0E
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCommand line argument: /BroomSetup.exe8_2_00424A0E
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCommand line argument: 185.172.128.2288_2_00424A0E
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCommand line argument: /BroomSetup.exe8_2_00424A0E
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCommand line argument: @8_2_049C4C75
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCommand line argument: one8_2_049C4C75
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCommand line argument: one8_2_049C4C75
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCommand line argument: two8_2_049C4C75
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCommand line argument: two8_2_049C4C75
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCommand line argument: three8_2_049C4C75
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCommand line argument: three8_2_049C4C75
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCommand line argument: four8_2_049C4C75
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCommand line argument: four8_2_049C4C75
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCommand line argument: five8_2_049C4C75
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCommand line argument: five8_2_049C4C75
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCommand line argument: six8_2_049C4C75
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCommand line argument: six8_2_049C4C75
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCommand line argument: seven8_2_049C4C75
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCommand line argument: seven8_2_049C4C75
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCommand line argument: eight8_2_049C4C75
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCommand line argument: eight8_2_049C4C75
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCommand line argument: nine8_2_049C4C75
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCommand line argument: nine8_2_049C4C75
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCommand line argument: ten8_2_049C4C75
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCommand line argument: ten8_2_049C4C75
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCommand line argument: 185.172.128.908_2_049C4C75
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCommand line argument: 185.172.128.908_2_049C4C75
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCommand line argument: 185.172.128.908_2_049C4C75
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCommand line argument: Installed8_2_049C4C75
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCommand line argument: Installed8_2_049C4C75
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCommand line argument: 185.172.128.2288_2_049C4C75
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCommand line argument: 185.172.128.2288_2_049C4C75
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCommand line argument: 185.172.128.2288_2_049C4C75
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCommand line argument: 185.172.128.598_2_049C4C75
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCommand line argument: 185.172.128.598_2_049C4C75
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCommand line argument: /syncUpd.exe8_2_049C4C75
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCommand line argument: /syncUpd.exe8_2_049C4C75
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCommand line argument: 185.172.128.598_2_049C4C75
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCommand line argument: /syncUpd.exe8_2_049C4C75
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCommand line argument: 185.172.128.2288_2_049C4C75
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCommand line argument: 185.172.128.2288_2_049C4C75
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCommand line argument: /BroomSetup.exe8_2_049C4C75
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCommand line argument: /BroomSetup.exe8_2_049C4C75
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCommand line argument: 185.172.128.2288_2_049C4C75
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCommand line argument: /BroomSetup.exe8_2_049C4C75
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCommand line argument: one15_2_00424A0E
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCommand line argument: one15_2_00424A0E
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCommand line argument: two15_2_00424A0E
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCommand line argument: two15_2_00424A0E
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCommand line argument: three15_2_00424A0E
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCommand line argument: three15_2_00424A0E
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCommand line argument: four15_2_00424A0E
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCommand line argument: four15_2_00424A0E
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCommand line argument: five15_2_00424A0E
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCommand line argument: five15_2_00424A0E
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCommand line argument: six15_2_00424A0E
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCommand line argument: six15_2_00424A0E
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCommand line argument: seven15_2_00424A0E
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCommand line argument: seven15_2_00424A0E
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCommand line argument: eight15_2_00424A0E
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCommand line argument: eight15_2_00424A0E
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCommand line argument: nine15_2_00424A0E
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCommand line argument: nine15_2_00424A0E
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCommand line argument: ten15_2_00424A0E
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCommand line argument: ten15_2_00424A0E
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCommand line argument: one15_2_00424A0E
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCommand line argument: two15_2_00424A0E
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCommand line argument: three15_2_00424A0E
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCommand line argument: four15_2_00424A0E
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCommand line argument: five15_2_00424A0E
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCommand line argument: six15_2_00424A0E
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCommand line argument: seven15_2_00424A0E
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCommand line argument: eight15_2_00424A0E
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCommand line argument: nine15_2_00424A0E
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCommand line argument: ten15_2_00424A0E
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCommand line argument: 185.172.128.9015_2_00424A0E
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCommand line argument: 185.172.128.9015_2_00424A0E
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCommand line argument: 185.172.128.9015_2_00424A0E
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCommand line argument: Installed15_2_00424A0E
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCommand line argument: Installed15_2_00424A0E
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCommand line argument: 185.172.128.22815_2_00424A0E
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCommand line argument: 185.172.128.22815_2_00424A0E
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCommand line argument: 185.172.128.22815_2_00424A0E
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCommand line argument: 185.172.128.5915_2_00424A0E
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCommand line argument: 185.172.128.5915_2_00424A0E
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCommand line argument: /syncUpd.exe15_2_00424A0E
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCommand line argument: /syncUpd.exe15_2_00424A0E
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCommand line argument: 185.172.128.5915_2_00424A0E
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCommand line argument: /syncUpd.exe15_2_00424A0E
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCommand line argument: 185.172.128.22815_2_00424A0E
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCommand line argument: 185.172.128.22815_2_00424A0E
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCommand line argument: /BroomSetup.exe15_2_00424A0E
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCommand line argument: /BroomSetup.exe15_2_00424A0E
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCommand line argument: 185.172.128.22815_2_00424A0E
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCommand line argument: /BroomSetup.exe15_2_00424A0E
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCommand line argument: @15_2_02EF4C75
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCommand line argument: one15_2_02EF4C75
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCommand line argument: one15_2_02EF4C75
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCommand line argument: two15_2_02EF4C75
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCommand line argument: two15_2_02EF4C75
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCommand line argument: three15_2_02EF4C75
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCommand line argument: three15_2_02EF4C75
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCommand line argument: four15_2_02EF4C75
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCommand line argument: four15_2_02EF4C75
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCommand line argument: five15_2_02EF4C75
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCommand line argument: five15_2_02EF4C75
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCommand line argument: six15_2_02EF4C75
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCommand line argument: six15_2_02EF4C75
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCommand line argument: seven15_2_02EF4C75
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCommand line argument: seven15_2_02EF4C75
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCommand line argument: eight15_2_02EF4C75
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCommand line argument: eight15_2_02EF4C75
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCommand line argument: nine15_2_02EF4C75
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCommand line argument: nine15_2_02EF4C75
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCommand line argument: ten15_2_02EF4C75
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCommand line argument: ten15_2_02EF4C75
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCommand line argument: 185.172.128.9015_2_02EF4C75
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCommand line argument: 185.172.128.9015_2_02EF4C75
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCommand line argument: 185.172.128.9015_2_02EF4C75
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCommand line argument: Installed15_2_02EF4C75
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCommand line argument: Installed15_2_02EF4C75
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCommand line argument: 185.172.128.22815_2_02EF4C75
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCommand line argument: 185.172.128.22815_2_02EF4C75
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCommand line argument: 185.172.128.22815_2_02EF4C75
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCommand line argument: 185.172.128.5915_2_02EF4C75
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCommand line argument: 185.172.128.5915_2_02EF4C75
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCommand line argument: /syncUpd.exe15_2_02EF4C75
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCommand line argument: /syncUpd.exe15_2_02EF4C75
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCommand line argument: 185.172.128.5915_2_02EF4C75
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCommand line argument: /syncUpd.exe15_2_02EF4C75
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCommand line argument: 185.172.128.22815_2_02EF4C75
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCommand line argument: 185.172.128.22815_2_02EF4C75
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCommand line argument: /BroomSetup.exe15_2_02EF4C75
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCommand line argument: /BroomSetup.exe15_2_02EF4C75
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCommand line argument: 185.172.128.22815_2_02EF4C75
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCommand line argument: /BroomSetup.exe15_2_02EF4C75
                      Source: C:\Users\user\Pictures\QHuPF3k4no0JL9DdGqDYtkCG.exeCommand line argument: nOA16_2_00414EC0
                      Source: SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: 3wiDjAuNAMEeKc2Sp8AJvkHN.exe, 00000012.00000002.1863098808.00007FF788E51000.00000002.00000001.01000000.00000010.sdmpBinary or memory string: UPDATE %Q.%s SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                      Source: 3wiDjAuNAMEeKc2Sp8AJvkHN.exe, 00000012.00000002.1863098808.00007FF788E51000.00000002.00000001.01000000.00000010.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                      Source: SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeReversingLabs: Detection: 23%
                      Source: SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeVirustotal: Detection: 21%
                      Source: JIsbjewlnghreiCB15kllzTk.exeString found in binary or memory: yscalltick= work.nproc= work.nwait= %s/rawaddr/%s%s\%s\drivers, gp->status=, not pointer-bind-address-byte block (3814697265625: unknown pc Accept-RangesAuthorizationCLIENT_RANDOMCONNECTION-IDCONNECT_ERRORCache-ControlCertOpenStoreCoTaskMemFreeConnectServerCo
                      Source: JIsbjewlnghreiCB15kllzTk.exeString found in binary or memory: REQUESTED-ADDRESS-FAMILYRequest Entity Too LargeSA Eastern Standard TimeSA Pacific Standard TimeSA Western Standard TimeSafeArrayAllocDescriptorSetConsoleCursorPositionSetDefaultDllDirectoriesSetupDiCreateDeviceInfoWSetupDiGetSelectedDeviceSetupDiSetSelectedDe
                      Source: JIsbjewlnghreiCB15kllzTk.exeString found in binary or memory: PED-ADDRESSMAX_FRAME_SIZEMB; allocated MakeAbsoluteSDMissing quotesModule32FirstWNetUserGetInfoNot AcceptableNtResumeThreadOSArchitectureOpenSCManagerWOther_ID_StartPROTOCOL_ERRORPattern_SyntaxProcess32NextWProtection DirQuotation_MarkRCodeNameErrorREFUSED_STR
                      Source: JIsbjewlnghreiCB15kllzTk.exeString found in binary or memory: inateProcessTor current modeTor is dowloadedTranslateMessageTrustedInstallerUnregisterClassWUpgrade RequiredUser-Agent: %s VirtualProtectExWinVerifyTrustExWindows DefenderWww-AuthenticateXOR-PEER-ADDRESSZanabazar_Square\windefender.exe runtime stack: address
                      Source: JIsbjewlnghreiCB15kllzTk.exeString found in binary or memory: unknown network unpacking headerworkbuf is emptywrite config: %wwww-authenticate spinningthreads=%%!%c(big.Int=%s)%s/address/%s/txs, p.searchAddr = 0123456789ABCDEFX0123456789abcdefx060102150405Z07001192092895507812559604644775390625: missing method AdjustToke
                      Source: JIsbjewlnghreiCB15kllzTk.exeString found in binary or memory: Temporary RedirectTerminateJobObjectTime.MarshalJSON: Time.MarshalText: UNKNOWN-ATTRIBUTESUNKNOWN_SETTING_%dUnknown value typeVariation_SelectorWeb Downloader/6.9WriteProcessMemoryXOR-MAPPED-ADDRESSadaptivestackstartbad Content-Lengthbad manualFreeListbufio: b
                      Source: JIsbjewlnghreiCB15kllzTk.exeString found in binary or memory: .654WDG_Validator/1.6.2WSALookupServiceEndWaitForSingleObjectWindowsCreateStringWindowsDeleteStringWinmonSystemMonitorXOR-RELAYED-ADDRESSYukon Standard Timeadjusttimers: bad pafter array elementattribute not foundbad ABI descriptionbad file descriptorbad kind
                      Source: Yz2gr4IqEnTCH1g642bo4hrO.exeString found in binary or memory: yscalltick= work.nproc= work.nwait= %s/rawaddr/%s%s\%s\drivers, gp->status=, not pointer-bind-address-byte block (3814697265625: unknown pc Accept-RangesAuthorizationCLIENT_RANDOMCONNECTION-IDCONNECT_ERRORCache-ControlCertOpenStoreCoTaskMemFreeConnectServerCo
                      Source: Yz2gr4IqEnTCH1g642bo4hrO.exeString found in binary or memory: REQUESTED-ADDRESS-FAMILYRequest Entity Too LargeSA Eastern Standard TimeSA Pacific Standard TimeSA Western Standard TimeSafeArrayAllocDescriptorSetConsoleCursorPositionSetDefaultDllDirectoriesSetupDiCreateDeviceInfoWSetupDiGetSelectedDeviceSetupDiSetSelectedDe
                      Source: Yz2gr4IqEnTCH1g642bo4hrO.exeString found in binary or memory: PED-ADDRESSMAX_FRAME_SIZEMB; allocated MakeAbsoluteSDMissing quotesModule32FirstWNetUserGetInfoNot AcceptableNtResumeThreadOSArchitectureOpenSCManagerWOther_ID_StartPROTOCOL_ERRORPattern_SyntaxProcess32NextWProtection DirQuotation_MarkRCodeNameErrorREFUSED_STR
                      Source: Yz2gr4IqEnTCH1g642bo4hrO.exeString found in binary or memory: inateProcessTor current modeTor is dowloadedTranslateMessageTrustedInstallerUnregisterClassWUpgrade RequiredUser-Agent: %s VirtualProtectExWinVerifyTrustExWindows DefenderWww-AuthenticateXOR-PEER-ADDRESSZanabazar_Square\windefender.exe runtime stack: address
                      Source: Yz2gr4IqEnTCH1g642bo4hrO.exeString found in binary or memory: unknown network unpacking headerworkbuf is emptywrite config: %wwww-authenticate spinningthreads=%%!%c(big.Int=%s)%s/address/%s/txs, p.searchAddr = 0123456789ABCDEFX0123456789abcdefx060102150405Z07001192092895507812559604644775390625: missing method AdjustToke
                      Source: Yz2gr4IqEnTCH1g642bo4hrO.exeString found in binary or memory: Temporary RedirectTerminateJobObjectTime.MarshalJSON: Time.MarshalText: UNKNOWN-ATTRIBUTESUNKNOWN_SETTING_%dUnknown value typeVariation_SelectorWeb Downloader/6.9WriteProcessMemoryXOR-MAPPED-ADDRESSadaptivestackstartbad Content-Lengthbad manualFreeListbufio: b
                      Source: Yz2gr4IqEnTCH1g642bo4hrO.exeString found in binary or memory: .654WDG_Validator/1.6.2WSALookupServiceEndWaitForSingleObjectWindowsCreateStringWindowsDeleteStringWinmonSystemMonitorXOR-RELAYED-ADDRESSYukon Standard Timeadjusttimers: bad pafter array elementattribute not foundbad ABI descriptionbad file descriptorbad kind
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeFile read: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exe"
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exe" -Force
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 208 -p 7412 -ip 7412
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7412 -s 1156
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exe "C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exe"
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Users\user\Pictures\JIsbjewlnghreiCB15kllzTk.exe "C:\Users\user\Pictures\JIsbjewlnghreiCB15kllzTk.exe"
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Users\user\Pictures\7ifrWkUACu1QmnINWqs0eu9h.exe "C:\Users\user\Pictures\7ifrWkUACu1QmnINWqs0eu9h.exe"
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Users\user\Pictures\T2RIU3FpH6dczIGTG32vuvvE.exe "C:\Users\user\Pictures\T2RIU3FpH6dczIGTG32vuvvE.exe" --silent --allusers=0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exe "C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exe"
                      Source: C:\Users\user\Pictures\T2RIU3FpH6dczIGTG32vuvvE.exeProcess created: C:\Users\user\Pictures\T2RIU3FpH6dczIGTG32vuvvE.exe C:\Users\user\Pictures\T2RIU3FpH6dczIGTG32vuvvE.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x298,0x29c,0x2a0,0x274,0x2bc,0x6c60e1d0,0x6c60e1dc,0x6c60e1e8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exe "C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exe"
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Users\user\Pictures\QHuPF3k4no0JL9DdGqDYtkCG.exe "C:\Users\user\Pictures\QHuPF3k4no0JL9DdGqDYtkCG.exe"
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Users\user\Pictures\Yz2gr4IqEnTCH1g642bo4hrO.exe "C:\Users\user\Pictures\Yz2gr4IqEnTCH1g642bo4hrO.exe"
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Users\user\Pictures\3wiDjAuNAMEeKc2Sp8AJvkHN.exe "C:\Users\user\Pictures\3wiDjAuNAMEeKc2Sp8AJvkHN.exe"
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Users\user\Pictures\syLcQZGPHHUJ3M0wbg0XxQZf.exe "C:\Users\user\Pictures\syLcQZGPHHUJ3M0wbg0XxQZf.exe" --silent --allusers=0
                      Source: C:\Users\user\Pictures\syLcQZGPHHUJ3M0wbg0XxQZf.exeProcess created: C:\Users\user\Pictures\syLcQZGPHHUJ3M0wbg0XxQZf.exe C:\Users\user\Pictures\syLcQZGPHHUJ3M0wbg0XxQZf.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x298,0x29c,0x2a0,0x274,0x2a4,0x6bf8e1d0,0x6bf8e1dc,0x6bf8e1e8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Users\user\Pictures\wjaGPzkDQjpdcbjBR9AwSFKW.exe "C:\Users\user\Pictures\wjaGPzkDQjpdcbjBR9AwSFKW.exe"
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Users\user\Pictures\SU1be6oqYDorLkUc1l6IPPFB.exe "C:\Users\user\Pictures\SU1be6oqYDorLkUc1l6IPPFB.exe"
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Users\user\Pictures\Vh2fqCjm9jPtwuJrcfbbwxLj.exe "C:\Users\user\Pictures\Vh2fqCjm9jPtwuJrcfbbwxLj.exe"
                      Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5me5kJjaX6nSu3LrmZClhT87.bat" "
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Users\user\Pictures\PqdYh9kiVSkf3FjC9RDfcS2e.exe "C:\Users\user\Pictures\PqdYh9kiVSkf3FjC9RDfcS2e.exe"
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Users\user\Pictures\0XytwVHS3WE9jtGuuRid6GiP.exe "C:\Users\user\Pictures\0XytwVHS3WE9jtGuuRid6GiP.exe" --silent --allusers=0
                      Source: C:\Users\user\Pictures\T2RIU3FpH6dczIGTG32vuvvE.exeProcess created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\T2RIU3FpH6dczIGTG32vuvvE.exe "C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\T2RIU3FpH6dczIGTG32vuvvE.exe" --version
                      Source: C:\Users\user\Pictures\0XytwVHS3WE9jtGuuRid6GiP.exeProcess created: C:\Users\user\Pictures\0XytwVHS3WE9jtGuuRid6GiP.exe C:\Users\user\Pictures\0XytwVHS3WE9jtGuuRid6GiP.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x29c,0x2a0,0x2a4,0x278,0x2a8,0x6b0de1d0,0x6b0de1dc,0x6b0de1e8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Users\user\Pictures\mm4Q31XfpYKjbn6ceSwXhER9.exe "C:\Users\user\Pictures\mm4Q31XfpYKjbn6ceSwXhER9.exe"
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Users\user\Pictures\GGlApx2WKpOBsEMsKqplE6Uf.exe "C:\Users\user\Pictures\GGlApx2WKpOBsEMsKqplE6Uf.exe"
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetSvcs -p -s NcaSvc
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\oE07FMGKijbqRxoSOEfcVNr4.exe "C:\Users\user\AppData\Local\oE07FMGKijbqRxoSOEfcVNr4.exe"
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Users\user\Pictures\1HakjlIwxygCinOPkQfhRxwL.exe "C:\Users\user\Pictures\1HakjlIwxygCinOPkQfhRxwL.exe"
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Users\user\Pictures\F6G6Y5cEUOHQw9dTwu4nNoIO.exe "C:\Users\user\Pictures\F6G6Y5cEUOHQw9dTwu4nNoIO.exe"
                      Source: C:\Users\user\Pictures\0XytwVHS3WE9jtGuuRid6GiP.exeProcess created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\0XytwVHS3WE9jtGuuRid6GiP.exe "C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\0XytwVHS3WE9jtGuuRid6GiP.exe" --version
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Users\user\Pictures\kuRSiZPmKhbW1guMqYXCvrAu.exe "C:\Users\user\Pictures\kuRSiZPmKhbW1guMqYXCvrAu.exe" --silent --allusers=0
                      Source: C:\Users\user\Pictures\wjaGPzkDQjpdcbjBR9AwSFKW.exeProcess created: C:\Users\user\AppData\Local\Temp\7zS2746.tmp\Install.exe .\Install.exe /sQwdidHh "385118" /S
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Users\user\Pictures\kBnX25PRDA3FRCf96qRj6qpV.exe "C:\Users\user\Pictures\kBnX25PRDA3FRCf96qRj6qpV.exe"
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exe" -ForceJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exe "C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exe" Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Users\user\Pictures\JIsbjewlnghreiCB15kllzTk.exe "C:\Users\user\Pictures\JIsbjewlnghreiCB15kllzTk.exe" Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Users\user\Pictures\7ifrWkUACu1QmnINWqs0eu9h.exe "C:\Users\user\Pictures\7ifrWkUACu1QmnINWqs0eu9h.exe" Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Users\user\Pictures\T2RIU3FpH6dczIGTG32vuvvE.exe "C:\Users\user\Pictures\T2RIU3FpH6dczIGTG32vuvvE.exe" --silent --allusers=0Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exe "C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exe" Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exe "C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exe" Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Users\user\Pictures\QHuPF3k4no0JL9DdGqDYtkCG.exe "C:\Users\user\Pictures\QHuPF3k4no0JL9DdGqDYtkCG.exe" Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Users\user\Pictures\Yz2gr4IqEnTCH1g642bo4hrO.exe "C:\Users\user\Pictures\Yz2gr4IqEnTCH1g642bo4hrO.exe" Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Users\user\Pictures\3wiDjAuNAMEeKc2Sp8AJvkHN.exe "C:\Users\user\Pictures\3wiDjAuNAMEeKc2Sp8AJvkHN.exe" Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Users\user\Pictures\syLcQZGPHHUJ3M0wbg0XxQZf.exe "C:\Users\user\Pictures\syLcQZGPHHUJ3M0wbg0XxQZf.exe" --silent --allusers=0Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Users\user\Pictures\wjaGPzkDQjpdcbjBR9AwSFKW.exe "C:\Users\user\Pictures\wjaGPzkDQjpdcbjBR9AwSFKW.exe" Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Users\user\Pictures\SU1be6oqYDorLkUc1l6IPPFB.exe "C:\Users\user\Pictures\SU1be6oqYDorLkUc1l6IPPFB.exe" Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Users\user\Pictures\Vh2fqCjm9jPtwuJrcfbbwxLj.exe "C:\Users\user\Pictures\Vh2fqCjm9jPtwuJrcfbbwxLj.exe" Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Users\user\Pictures\PqdYh9kiVSkf3FjC9RDfcS2e.exe "C:\Users\user\Pictures\PqdYh9kiVSkf3FjC9RDfcS2e.exe" Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Users\user\Pictures\0XytwVHS3WE9jtGuuRid6GiP.exe "C:\Users\user\Pictures\0XytwVHS3WE9jtGuuRid6GiP.exe" --silent --allusers=0Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Users\user\Pictures\mm4Q31XfpYKjbn6ceSwXhER9.exe "C:\Users\user\Pictures\mm4Q31XfpYKjbn6ceSwXhER9.exe" Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Users\user\Pictures\GGlApx2WKpOBsEMsKqplE6Uf.exe "C:\Users\user\Pictures\GGlApx2WKpOBsEMsKqplE6Uf.exe" Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Users\user\Pictures\1HakjlIwxygCinOPkQfhRxwL.exe "C:\Users\user\Pictures\1HakjlIwxygCinOPkQfhRxwL.exe" Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Users\user\Pictures\F6G6Y5cEUOHQw9dTwu4nNoIO.exe "C:\Users\user\Pictures\F6G6Y5cEUOHQw9dTwu4nNoIO.exe" Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Users\user\Pictures\kuRSiZPmKhbW1guMqYXCvrAu.exe "C:\Users\user\Pictures\kuRSiZPmKhbW1guMqYXCvrAu.exe" --silent --allusers=0Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Users\user\Pictures\kBnX25PRDA3FRCf96qRj6qpV.exe "C:\Users\user\Pictures\kBnX25PRDA3FRCf96qRj6qpV.exe" Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 208 -p 7412 -ip 7412
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7412 -s 1156
                      Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                      Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                      Source: C:\Windows\System32\WerFault.exeProcess created: unknown unknown
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeProcess created: unknown unknown
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeProcess created: unknown unknown
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeProcess created: unknown unknown
                      Source: C:\Users\user\Pictures\T2RIU3FpH6dczIGTG32vuvvE.exeProcess created: C:\Users\user\Pictures\T2RIU3FpH6dczIGTG32vuvvE.exe C:\Users\user\Pictures\T2RIU3FpH6dczIGTG32vuvvE.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x298,0x29c,0x2a0,0x274,0x2bc,0x6c60e1d0,0x6c60e1dc,0x6c60e1e8
                      Source: C:\Users\user\Pictures\T2RIU3FpH6dczIGTG32vuvvE.exeProcess created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\T2RIU3FpH6dczIGTG32vuvvE.exe "C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\T2RIU3FpH6dczIGTG32vuvvE.exe" --version
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeProcess created: unknown unknown
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeProcess created: unknown unknown
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeProcess created: unknown unknown
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeProcess created: unknown unknown
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeProcess created: unknown unknown
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeProcess created: unknown unknown
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeProcess created: unknown unknown
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeProcess created: unknown unknown
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeProcess created: unknown unknown
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeProcess created: unknown unknown
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeProcess created: unknown unknown
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeProcess created: unknown unknown
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeProcess created: unknown unknown
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeProcess created: unknown unknown
                      Source: C:\Users\user\Pictures\syLcQZGPHHUJ3M0wbg0XxQZf.exeProcess created: C:\Users\user\Pictures\syLcQZGPHHUJ3M0wbg0XxQZf.exe C:\Users\user\Pictures\syLcQZGPHHUJ3M0wbg0XxQZf.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x298,0x29c,0x2a0,0x274,0x2a4,0x6bf8e1d0,0x6bf8e1dc,0x6bf8e1e8
                      Source: C:\Users\user\Pictures\syLcQZGPHHUJ3M0wbg0XxQZf.exeProcess created: unknown unknown
                      Source: C:\Users\user\Pictures\wjaGPzkDQjpdcbjBR9AwSFKW.exeProcess created: C:\Users\user\AppData\Local\Temp\7zS2746.tmp\Install.exe .\Install.exe /sQwdidHh "385118" /S
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\oE07FMGKijbqRxoSOEfcVNr4.exe "C:\Users\user\AppData\Local\oE07FMGKijbqRxoSOEfcVNr4.exe"
                      Source: C:\Users\user\Pictures\0XytwVHS3WE9jtGuuRid6GiP.exeProcess created: C:\Users\user\Pictures\0XytwVHS3WE9jtGuuRid6GiP.exe C:\Users\user\Pictures\0XytwVHS3WE9jtGuuRid6GiP.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x29c,0x2a0,0x2a4,0x278,0x2a8,0x6b0de1d0,0x6b0de1dc,0x6b0de1e8
                      Source: C:\Users\user\Pictures\0XytwVHS3WE9jtGuuRid6GiP.exeProcess created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\0XytwVHS3WE9jtGuuRid6GiP.exe "C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\0XytwVHS3WE9jtGuuRid6GiP.exe" --version
                      Source: C:\Users\user\Pictures\kuRSiZPmKhbW1guMqYXCvrAu.exeProcess created: unknown unknown
                      Source: C:\Users\user\Pictures\kuRSiZPmKhbW1guMqYXCvrAu.exeProcess created: unknown unknown
                      Source: C:\Users\user\AppData\Local\Temp\7zS2746.tmp\Install.exeProcess created: unknown unknown
                      Source: C:\Users\user\AppData\Local\Temp\7zS2746.tmp\Install.exeProcess created: unknown unknown
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: rasapi32.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: rasman.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: rtutils.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: schannel.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: mskeyprotect.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: ncryptsslp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: wersvc.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: windowsperformancerecordercontrol.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: weretw.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: wer.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: faultrep.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: dbghelp.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: dbgcore.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: wer.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeSection loaded: apphelp.dll
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeSection loaded: winhttp.dll
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeSection loaded: msimg32.dll
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeSection loaded: msvcr100.dll
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeSection loaded: mswsock.dll
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeSection loaded: napinsp.dll
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeSection loaded: pnrpnsp.dll
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeSection loaded: wshbth.dll
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeSection loaded: nlaapi.dll
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeSection loaded: iphlpapi.dll
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeSection loaded: dnsapi.dll
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeSection loaded: winrnr.dll
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeSection loaded: fwpuclnt.dll
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeSection loaded: rasadhlp.dll
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeSection loaded: napinsp.dll
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeSection loaded: pnrpnsp.dll
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeSection loaded: wshbth.dll
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeSection loaded: nlaapi.dll
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeSection loaded: winrnr.dll
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeSection loaded: fwpuclnt.dll
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeSection loaded: napinsp.dll
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeSection loaded: pnrpnsp.dll
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeSection loaded: wshbth.dll
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeSection loaded: nlaapi.dll
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeSection loaded: winrnr.dll
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeSection loaded: fwpuclnt.dll
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeSection loaded: windows.storage.dll
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeSection loaded: wldp.dll
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeSection loaded: kernel.appcore.dll
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeSection loaded: uxtheme.dll
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeSection loaded: propsys.dll
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeSection loaded: profapi.dll
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeSection loaded: windows.staterepositoryps.dll
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeSection loaded: edputil.dll
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeSection loaded: urlmon.dll
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeSection loaded: iertutil.dll
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeSection loaded: srvcli.dll
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeSection loaded: netutils.dll
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeSection loaded: sspicli.dll
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeSection loaded: wintypes.dll
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeSection loaded: appresolver.dll
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeSection loaded: bcp47langs.dll
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeSection loaded: slc.dll
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeSection loaded: userenv.dll
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeSection loaded: sppc.dll
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeSection loaded: onecorecommonproxystub.dll
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeSection loaded: onecoreuapcommonproxystub.dll
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeSection loaded: pcacli.dll
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeSection loaded: mpr.dll
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeSection loaded: sfc_os.dll
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeSection loaded: napinsp.dll
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeSection loaded: pnrpnsp.dll
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeSection loaded: wshbth.dll
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeSection loaded: nlaapi.dll
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeSection loaded: winrnr.dll
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeSection loaded: fwpuclnt.dll
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeSection loaded: napinsp.dll
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeSection loaded: pnrpnsp.dll
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeSection loaded: wshbth.dll
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeSection loaded: nlaapi.dll
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeSection loaded: winrnr.dll
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeSection loaded: fwpuclnt.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dll
                      Source: C:\Users\user\Pictures\JIsbjewlnghreiCB15kllzTk.exeSection loaded: apphelp.dll
                      Source: C:\Users\user\Pictures\JIsbjewlnghreiCB15kllzTk.exeSection loaded: winhttp.dll
                      Source: C:\Users\user\Pictures\JIsbjewlnghreiCB15kllzTk.exeSection loaded: msimg32.dll
                      Source: C:\Users\user\Pictures\JIsbjewlnghreiCB15kllzTk.exeSection loaded: msvcr100.dll
                      Source: C:\Users\user\Pictures\JIsbjewlnghreiCB15kllzTk.exeSection loaded: cryptbase.dll
                      Source: C:\Users\user\Pictures\JIsbjewlnghreiCB15kllzTk.exeSection loaded: winmm.dll
                      Source: C:\Users\user\Pictures\JIsbjewlnghreiCB15kllzTk.exeSection loaded: powrprof.dll
                      Source: C:\Users\user\Pictures\JIsbjewlnghreiCB15kllzTk.exeSection loaded: umpdc.dll
                      Source: C:\Users\user\Pictures\JIsbjewlnghreiCB15kllzTk.exeSection loaded: wtsapi32.dll
                      Source: C:\Users\user\Pictures\JIsbjewlnghreiCB15kllzTk.exeSection loaded: winsta.dll
                      Source: C:\Users\user\Pictures\JIsbjewlnghreiCB15kllzTk.exeSection loaded: kernel.appcore.dll
                      Source: C:\Users\user\Pictures\7ifrWkUACu1QmnINWqs0eu9h.exeSection loaded: apphelp.dll
                      Source: C:\Users\user\Pictures\7ifrWkUACu1QmnINWqs0eu9h.exeSection loaded: winhttp.dll
                      Source: C:\Users\user\Pictures\7ifrWkUACu1QmnINWqs0eu9h.exeSection loaded: msimg32.dll
                      Source: C:\Users\user\Pictures\7ifrWkUACu1QmnINWqs0eu9h.exeSection loaded: msvcr100.dll
                      Source: C:\Users\user\Pictures\7ifrWkUACu1QmnINWqs0eu9h.exeSection loaded: cryptbase.dll
                      Source: C:\Users\user\Pictures\7ifrWkUACu1QmnINWqs0eu9h.exeSection loaded: winmm.dll
                      Source: C:\Users\user\Pictures\7ifrWkUACu1QmnINWqs0eu9h.exeSection loaded: powrprof.dll
                      Source: C:\Users\user\Pictures\7ifrWkUACu1QmnINWqs0eu9h.exeSection loaded: umpdc.dll
                      Source: C:\Users\user\Pictures\7ifrWkUACu1QmnINWqs0eu9h.exeSection loaded: wtsapi32.dll
                      Source: C:\Users\user\Pictures\7ifrWkUACu1QmnINWqs0eu9h.exeSection loaded: winsta.dll
                      Source: C:\Users\user\Pictures\7ifrWkUACu1QmnINWqs0eu9h.exeSection loaded: kernel.appcore.dll
                      Source: C:\Users\user\Pictures\7ifrWkUACu1QmnINWqs0eu9h.exeSection loaded: uxtheme.dll
                      Source: C:\Users\user\Pictures\7ifrWkUACu1QmnINWqs0eu9h.exeSection loaded: wbemcomn.dll
                      Source: C:\Users\user\Pictures\T2RIU3FpH6dczIGTG32vuvvE.exeSection loaded: version.dll
                      Source: C:\Users\user\Pictures\T2RIU3FpH6dczIGTG32vuvvE.exeSection loaded: msimg32.dll
                      Source: C:\Users\user\Pictures\T2RIU3FpH6dczIGTG32vuvvE.exeSection loaded: secur32.dll
                      Source: C:\Users\user\Pictures\T2RIU3FpH6dczIGTG32vuvvE.exeSection loaded: dbghelp.dll
                      Source: C:\Users\user\Pictures\T2RIU3FpH6dczIGTG32vuvvE.exeSection loaded: wininet.dll
                      Source: C:\Users\user\Pictures\T2RIU3FpH6dczIGTG32vuvvE.exeSection loaded: propsys.dll
                      Source: C:\Users\user\Pictures\T2RIU3FpH6dczIGTG32vuvvE.exeSection loaded: winmm.dll
                      Source: C:\Users\user\Pictures\T2RIU3FpH6dczIGTG32vuvvE.exeSection loaded: userenv.dll
                      Source: C:\Users\user\Pictures\T2RIU3FpH6dczIGTG32vuvvE.exeSection loaded: winhttp.dll
                      Source: C:\Users\user\Pictures\T2RIU3FpH6dczIGTG32vuvvE.exeSection loaded: sspicli.dll
                      Source: C:\Users\user\Pictures\T2RIU3FpH6dczIGTG32vuvvE.exeSection loaded: dbgcore.dll
                      Source: C:\Users\user\Pictures\T2RIU3FpH6dczIGTG32vuvvE.exeSection loaded: msasn1.dll
                      Source: C:\Users\user\Pictures\T2RIU3FpH6dczIGTG32vuvvE.exeSection loaded: kernel.appcore.dll
                      Source: C:\Users\user\Pictures\T2RIU3FpH6dczIGTG32vuvvE.exeSection loaded: uxtheme.dll
                      Source: C:\Users\user\Pictures\T2RIU3FpH6dczIGTG32vuvvE.exeSection loaded: ntmarta.dll
                      Source: C:\Users\user\Pictures\T2RIU3FpH6dczIGTG32vuvvE.exeSection loaded: apphelp.dll
                      Source: C:\Users\user\Pictures\T2RIU3FpH6dczIGTG32vuvvE.exeSection loaded: windows.storage.dll
                      Source: C:\Users\user\Pictures\T2RIU3FpH6dczIGTG32vuvvE.exeSection loaded: wldp.dll
                      Source: C:\Users\user\Pictures\T2RIU3FpH6dczIGTG32vuvvE.exeSection loaded: profapi.dll
                      Source: C:\Users\user\Pictures\T2RIU3FpH6dczIGTG32vuvvE.exeSection loaded: iertutil.dll
                      Source: C:\Users\user\Pictures\T2RIU3FpH6dczIGTG32vuvvE.exeSection loaded: ondemandconnroutehelper.dll
                      Source: C:\Users\user\Pictures\T2RIU3FpH6dczIGTG32vuvvE.exeSection loaded: mswsock.dll
                      Source: C:\Users\user\Pictures\T2RIU3FpH6dczIGTG32vuvvE.exeSection loaded: iphlpapi.dll
                      Source: C:\Users\user\Pictures\T2RIU3FpH6dczIGTG32vuvvE.exeSection loaded: winnsi.dll
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeSection loaded: winhttp.dll
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeSection loaded: wininet.dll
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeSection loaded: kernel.appcore.dll
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeSection loaded: uxtheme.dll
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeSection loaded: gpedit.dll
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeSection loaded: gpapi.dll
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeSection loaded: activeds.dll
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeSection loaded: dssec.dll
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeSection loaded: dsuiext.dll
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeSection loaded: framedynos.dll
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeSection loaded: adsldpc.dll
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeSection loaded: dsrole.dll
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeSection loaded: logoncli.dll
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeSection loaded: mpr.dll
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeSection loaded: netutils.dll
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeSection loaded: authz.dll
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeSection loaded: ntdsapi.dll
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeSection loaded: sspicli.dll
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeSection loaded: ondemandconnroutehelper.dll
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeSection loaded: webio.dll
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeSection loaded: mswsock.dll
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeSection loaded: iphlpapi.dll
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeSection loaded: winnsi.dll
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeSection loaded: sspicli.dll
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeSection loaded: dnsapi.dll
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeSection loaded: rasadhlp.dll
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeSection loaded: fwpuclnt.dll
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeSection loaded: schannel.dll
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeSection loaded: mskeyprotect.dll
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeSection loaded: ntasn1.dll
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeSection loaded: ncrypt.dll
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeSection loaded: ncryptsslp.dll
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeSection loaded: msasn1.dll
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeSection loaded: cryptsp.dll
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeSection loaded: rsaenh.dll
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeSection loaded: cryptbase.dll
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeSection loaded: gpapi.dll
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeSection loaded: windows.storage.dll
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeSection loaded: wldp.dll
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeSection loaded: wbemcomn.dll
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeSection loaded: amsi.dll
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeSection loaded: userenv.dll
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeSection loaded: profapi.dll
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeSection loaded: iertutil.dll
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeSection loaded: ondemandconnroutehelper.dll
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeSection loaded: urlmon.dll
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeSection loaded: srvcli.dll
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeSection loaded: netutils.dll
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeSection loaded: dpapi.dll
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeSection loaded: apphelp.dll
                      Source: C:\Users\user\Pictures\T2RIU3FpH6dczIGTG32vuvvE.exeSection loaded: version.dll
                      Source: C:\Users\user\Pictures\T2RIU3FpH6dczIGTG32vuvvE.exeSection loaded: msimg32.dll
                      Source: C:\Users\user\Pictures\T2RIU3FpH6dczIGTG32vuvvE.exeSection loaded: secur32.dll
                      Source: C:\Users\user\Pictures\T2RIU3FpH6dczIGTG32vuvvE.exeSection loaded: dbghelp.dll
                      Source: C:\Users\user\Pictures\T2RIU3FpH6dczIGTG32vuvvE.exeSection loaded: wininet.dll
                      Source: C:\Users\user\Pictures\T2RIU3FpH6dczIGTG32vuvvE.exeSection loaded: propsys.dll
                      Source: C:\Users\user\Pictures\T2RIU3FpH6dczIGTG32vuvvE.exeSection loaded: winmm.dll
                      Source: C:\Users\user\Pictures\T2RIU3FpH6dczIGTG32vuvvE.exeSection loaded: userenv.dll
                      Source: C:\Users\user\Pictures\T2RIU3FpH6dczIGTG32vuvvE.exeSection loaded: winhttp.dll
                      Source: C:\Users\user\Pictures\T2RIU3FpH6dczIGTG32vuvvE.exeSection loaded: sspicli.dll
                      Source: C:\Users\user\Pictures\T2RIU3FpH6dczIGTG32vuvvE.exeSection loaded: dbgcore.dll
                      Source: C:\Users\user\Pictures\T2RIU3FpH6dczIGTG32vuvvE.exeSection loaded: msasn1.dll
                      Source: C:\Users\user\Pictures\T2RIU3FpH6dczIGTG32vuvvE.exeSection loaded: kernel.appcore.dll
                      Source: C:\Users\user\Pictures\T2RIU3FpH6dczIGTG32vuvvE.exeSection loaded: uxtheme.dll
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeSection loaded: apphelp.dll
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeSection loaded: winhttp.dll
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeSection loaded: msimg32.dll
                      Source: C:\Users\user\Pictures\QHuPF3k4no0JL9DdGqDYtkCG.exeSection loaded: apphelp.dll
                      Source: C:\Users\user\Pictures\QHuPF3k4no0JL9DdGqDYtkCG.exeSection loaded: winhttp.dll
                      Source: C:\Users\user\Pictures\Yz2gr4IqEnTCH1g642bo4hrO.exeSection loaded: apphelp.dll
                      Source: C:\Users\user\Pictures\Yz2gr4IqEnTCH1g642bo4hrO.exeSection loaded: winhttp.dll
                      Source: C:\Users\user\Pictures\3wiDjAuNAMEeKc2Sp8AJvkHN.exeSection loaded: kernel.appcore.dll
                      Source: C:\Users\user\Pictures\syLcQZGPHHUJ3M0wbg0XxQZf.exeSection loaded: version.dll
                      Source: C:\Users\user\Pictures\syLcQZGPHHUJ3M0wbg0XxQZf.exeSection loaded: msimg32.dll
                      Source: C:\Users\user\Pictures\syLcQZGPHHUJ3M0wbg0XxQZf.exeSection loaded: secur32.dll
                      Source: C:\Users\user\Pictures\syLcQZGPHHUJ3M0wbg0XxQZf.exeSection loaded: dbghelp.dll
                      Source: C:\Users\user\Pictures\syLcQZGPHHUJ3M0wbg0XxQZf.exeSection loaded: wininet.dll
                      Source: C:\Users\user\Pictures\syLcQZGPHHUJ3M0wbg0XxQZf.exeSection loaded: propsys.dll
                      Source: C:\Users\user\Pictures\syLcQZGPHHUJ3M0wbg0XxQZf.exeSection loaded: winmm.dll
                      Source: C:\Users\user\Pictures\syLcQZGPHHUJ3M0wbg0XxQZf.exeSection loaded: userenv.dll
                      Source: C:\Users\user\Pictures\syLcQZGPHHUJ3M0wbg0XxQZf.exeSection loaded: winhttp.dll
                      Source: C:\Users\user\Pictures\syLcQZGPHHUJ3M0wbg0XxQZf.exeSection loaded: sspicli.dll
                      Source: C:\Users\user\Pictures\syLcQZGPHHUJ3M0wbg0XxQZf.exeSection loaded: dbgcore.dll
                      Source: C:\Users\user\Pictures\syLcQZGPHHUJ3M0wbg0XxQZf.exeSection loaded: msasn1.dll
                      Source: C:\Users\user\Pictures\syLcQZGPHHUJ3M0wbg0XxQZf.exeSection loaded: kernel.appcore.dll
                      Source: C:\Users\user\Pictures\syLcQZGPHHUJ3M0wbg0XxQZf.exeSection loaded: uxtheme.dll
                      Source: C:\Users\user\Pictures\syLcQZGPHHUJ3M0wbg0XxQZf.exeSection loaded: ntmarta.dll
                      Source: C:\Users\user\Pictures\syLcQZGPHHUJ3M0wbg0XxQZf.exeSection loaded: apphelp.dll
                      Source: C:\Users\user\Pictures\syLcQZGPHHUJ3M0wbg0XxQZf.exeSection loaded: windows.storage.dll
                      Source: C:\Users\user\Pictures\syLcQZGPHHUJ3M0wbg0XxQZf.exeSection loaded: wldp.dll
                      Source: C:\Users\user\Pictures\syLcQZGPHHUJ3M0wbg0XxQZf.exeSection loaded: iertutil.dll
                      Source: C:\Users\user\Pictures\syLcQZGPHHUJ3M0wbg0XxQZf.exeSection loaded: profapi.dll
                      Source: C:\Users\user\Pictures\syLcQZGPHHUJ3M0wbg0XxQZf.exeSection loaded: ondemandconnroutehelper.dll
                      Source: C:\Users\user\Pictures\syLcQZGPHHUJ3M0wbg0XxQZf.exeSection loaded: mswsock.dll
                      Source: C:\Users\user\Pictures\syLcQZGPHHUJ3M0wbg0XxQZf.exeSection loaded: iphlpapi.dll
                      Source: C:\Users\user\Pictures\syLcQZGPHHUJ3M0wbg0XxQZf.exeSection loaded: winnsi.dll
                      Source: C:\Users\user\Pictures\syLcQZGPHHUJ3M0wbg0XxQZf.exeSection loaded: urlmon.dll
                      Source: C:\Users\user\Pictures\syLcQZGPHHUJ3M0wbg0XxQZf.exeSection loaded: srvcli.dll
                      Source: C:\Users\user\Pictures\syLcQZGPHHUJ3M0wbg0XxQZf.exeSection loaded: netutils.dll
                      Source: C:\Users\user\Pictures\syLcQZGPHHUJ3M0wbg0XxQZf.exeSection loaded: dnsapi.dll
                      Source: C:\Users\user\Pictures\syLcQZGPHHUJ3M0wbg0XxQZf.exeSection loaded: fwpuclnt.dll
                      Source: C:\Users\user\Pictures\syLcQZGPHHUJ3M0wbg0XxQZf.exeSection loaded: rasadhlp.dll
                      Source: C:\Users\user\Pictures\syLcQZGPHHUJ3M0wbg0XxQZf.exeSection loaded: schannel.dll
                      Source: C:\Users\user\Pictures\syLcQZGPHHUJ3M0wbg0XxQZf.exeSection loaded: mskeyprotect.dll
                      Source: C:\Users\user\Pictures\syLcQZGPHHUJ3M0wbg0XxQZf.exeSection loaded: ntasn1.dll
                      Source: C:\Users\user\Pictures\syLcQZGPHHUJ3M0wbg0XxQZf.exeSection loaded: dpapi.dll
                      Source: C:\Users\user\Pictures\syLcQZGPHHUJ3M0wbg0XxQZf.exeSection loaded: cryptsp.dll
                      Source: C:\Users\user\Pictures\syLcQZGPHHUJ3M0wbg0XxQZf.exeSection loaded: rsaenh.dll
                      Source: C:\Users\user\Pictures\syLcQZGPHHUJ3M0wbg0XxQZf.exeSection loaded: cryptbase.dll
                      Source: C:\Users\user\Pictures\syLcQZGPHHUJ3M0wbg0XxQZf.exeSection loaded: gpapi.dll
                      Source: C:\Users\user\Pictures\syLcQZGPHHUJ3M0wbg0XxQZf.exeSection loaded: ncrypt.dll
                      Source: C:\Users\user\Pictures\syLcQZGPHHUJ3M0wbg0XxQZf.exeSection loaded: ncryptsslp.dll
                      Source: C:\Users\user\Pictures\syLcQZGPHHUJ3M0wbg0XxQZf.exeSection loaded: version.dll
                      Source: C:\Users\user\Pictures\syLcQZGPHHUJ3M0wbg0XxQZf.exeSection loaded: msimg32.dll
                      Source: C:\Users\user\Pictures\syLcQZGPHHUJ3M0wbg0XxQZf.exeSection loaded: secur32.dll
                      Source: C:\Users\user\Pictures\syLcQZGPHHUJ3M0wbg0XxQZf.exeSection loaded: dbghelp.dll
                      Source: C:\Users\user\Pictures\syLcQZGPHHUJ3M0wbg0XxQZf.exeSection loaded: wininet.dll
                      Source: C:\Users\user\Pictures\syLcQZGPHHUJ3M0wbg0XxQZf.exeSection loaded: propsys.dll
                      Source: C:\Users\user\Pictures\syLcQZGPHHUJ3M0wbg0XxQZf.exeSection loaded: winmm.dll
                      Source: C:\Users\user\Pictures\syLcQZGPHHUJ3M0wbg0XxQZf.exeSection loaded: userenv.dll
                      Source: C:\Users\user\Pictures\syLcQZGPHHUJ3M0wbg0XxQZf.exeSection loaded: winhttp.dll
                      Source: C:\Users\user\Pictures\syLcQZGPHHUJ3M0wbg0XxQZf.exeSection loaded: sspicli.dll
                      Source: C:\Users\user\Pictures\syLcQZGPHHUJ3M0wbg0XxQZf.exeSection loaded: dbgcore.dll
                      Source: C:\Users\user\Pictures\syLcQZGPHHUJ3M0wbg0XxQZf.exeSection loaded: msasn1.dll
                      Source: C:\Users\user\Pictures\syLcQZGPHHUJ3M0wbg0XxQZf.exeSection loaded: kernel.appcore.dll
                      Source: C:\Users\user\Pictures\syLcQZGPHHUJ3M0wbg0XxQZf.exeSection loaded: uxtheme.dll
                      Source: C:\Users\user\Pictures\wjaGPzkDQjpdcbjBR9AwSFKW.exeSection loaded: apphelp.dll
                      Source: C:\Users\user\Pictures\wjaGPzkDQjpdcbjBR9AwSFKW.exeSection loaded: acgenral.dll
                      Source: C:\Users\user\Pictures\wjaGPzkDQjpdcbjBR9AwSFKW.exeSection loaded: uxtheme.dll
                      Source: C:\Users\user\Pictures\wjaGPzkDQjpdcbjBR9AwSFKW.exeSection loaded: winmm.dll
                      Source: C:\Users\user\Pictures\wjaGPzkDQjpdcbjBR9AwSFKW.exeSection loaded: samcli.dll
                      Source: C:\Users\user\Pictures\wjaGPzkDQjpdcbjBR9AwSFKW.exeSection loaded: msacm32.dll
                      Source: C:\Users\user\Pictures\wjaGPzkDQjpdcbjBR9AwSFKW.exeSection loaded: version.dll
                      Source: C:\Users\user\Pictures\wjaGPzkDQjpdcbjBR9AwSFKW.exeSection loaded: userenv.dll
                      Source: C:\Users\user\Pictures\wjaGPzkDQjpdcbjBR9AwSFKW.exeSection loaded: dwmapi.dll
                      Source: C:\Users\user\Pictures\wjaGPzkDQjpdcbjBR9AwSFKW.exeSection loaded: urlmon.dll
                      Source: C:\Users\user\Pictures\wjaGPzkDQjpdcbjBR9AwSFKW.exeSection loaded: mpr.dll
                      Source: C:\Users\user\Pictures\wjaGPzkDQjpdcbjBR9AwSFKW.exeSection loaded: sspicli.dll
                      Source: C:\Users\user\Pictures\wjaGPzkDQjpdcbjBR9AwSFKW.exeSection loaded: winmmbase.dll
                      Source: C:\Users\user\Pictures\wjaGPzkDQjpdcbjBR9AwSFKW.exeSection loaded: winmmbase.dll
                      Source: C:\Users\user\Pictures\wjaGPzkDQjpdcbjBR9AwSFKW.exeSection loaded: iertutil.dll
                      Source: C:\Users\user\Pictures\wjaGPzkDQjpdcbjBR9AwSFKW.exeSection loaded: srvcli.dll
                      Source: C:\Users\user\Pictures\wjaGPzkDQjpdcbjBR9AwSFKW.exeSection loaded: netutils.dll
                      Source: C:\Users\user\Pictures\wjaGPzkDQjpdcbjBR9AwSFKW.exeSection loaded: aclayers.dll
                      Source: C:\Users\user\Pictures\wjaGPzkDQjpdcbjBR9AwSFKW.exeSection loaded: sfc.dll
                      Source: C:\Users\user\Pictures\wjaGPzkDQjpdcbjBR9AwSFKW.exeSection loaded: sfc_os.dll
                      Source: C:\Users\user\Pictures\SU1be6oqYDorLkUc1l6IPPFB.exeSection loaded: apphelp.dll
                      Source: C:\Users\user\Pictures\SU1be6oqYDorLkUc1l6IPPFB.exeSection loaded: winhttp.dll
                      Source: C:\Users\user\Pictures\Vh2fqCjm9jPtwuJrcfbbwxLj.exeSection loaded: apphelp.dll
                      Source: C:\Users\user\Pictures\Vh2fqCjm9jPtwuJrcfbbwxLj.exeSection loaded: winhttp.dll
                      Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
                      Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dll
                      Source: C:\Users\user\Pictures\PqdYh9kiVSkf3FjC9RDfcS2e.exeSection loaded: apphelp.dll
                      Source: C:\Users\user\Pictures\PqdYh9kiVSkf3FjC9RDfcS2e.exeSection loaded: winhttp.dll
                      Source: C:\Users\user\Pictures\0XytwVHS3WE9jtGuuRid6GiP.exeSection loaded: version.dll
                      Source: C:\Users\user\Pictures\0XytwVHS3WE9jtGuuRid6GiP.exeSection loaded: msimg32.dll
                      Source: C:\Users\user\Pictures\0XytwVHS3WE9jtGuuRid6GiP.exeSection loaded: secur32.dll
                      Source: C:\Users\user\Pictures\0XytwVHS3WE9jtGuuRid6GiP.exeSection loaded: dbghelp.dll
                      Source: C:\Users\user\Pictures\0XytwVHS3WE9jtGuuRid6GiP.exeSection loaded: wininet.dll
                      Source: C:\Users\user\Pictures\0XytwVHS3WE9jtGuuRid6GiP.exeSection loaded: propsys.dll
                      Source: C:\Users\user\Pictures\0XytwVHS3WE9jtGuuRid6GiP.exeSection loaded: winmm.dll
                      Source: C:\Users\user\Pictures\0XytwVHS3WE9jtGuuRid6GiP.exeSection loaded: userenv.dll
                      Source: C:\Users\user\Pictures\0XytwVHS3WE9jtGuuRid6GiP.exeSection loaded: winhttp.dll
                      Source: C:\Users\user\Pictures\0XytwVHS3WE9jtGuuRid6GiP.exeSection loaded: sspicli.dll
                      Source: C:\Users\user\Pictures\0XytwVHS3WE9jtGuuRid6GiP.exeSection loaded: dbgcore.dll
                      Source: C:\Users\user\Pictures\0XytwVHS3WE9jtGuuRid6GiP.exeSection loaded: msasn1.dll
                      Source: C:\Users\user\Pictures\0XytwVHS3WE9jtGuuRid6GiP.exeSection loaded: kernel.appcore.dll
                      Source: C:\Users\user\Pictures\0XytwVHS3WE9jtGuuRid6GiP.exeSection loaded: uxtheme.dll
                      Source: C:\Users\user\Pictures\0XytwVHS3WE9jtGuuRid6GiP.exeSection loaded: ntmarta.dll
                      Source: C:\Users\user\Pictures\0XytwVHS3WE9jtGuuRid6GiP.exeSection loaded: apphelp.dll
                      Source: C:\Users\user\Pictures\0XytwVHS3WE9jtGuuRid6GiP.exeSection loaded: windows.storage.dll
                      Source: C:\Users\user\Pictures\0XytwVHS3WE9jtGuuRid6GiP.exeSection loaded: wldp.dll
                      Source: C:\Users\user\Pictures\0XytwVHS3WE9jtGuuRid6GiP.exeSection loaded: iertutil.dll
                      Source: C:\Users\user\Pictures\0XytwVHS3WE9jtGuuRid6GiP.exeSection loaded: profapi.dll
                      Source: C:\Users\user\Pictures\0XytwVHS3WE9jtGuuRid6GiP.exeSection loaded: ondemandconnroutehelper.dll
                      Source: C:\Users\user\Pictures\0XytwVHS3WE9jtGuuRid6GiP.exeSection loaded: mswsock.dll
                      Source: C:\Users\user\Pictures\0XytwVHS3WE9jtGuuRid6GiP.exeSection loaded: iphlpapi.dll
                      Source: C:\Users\user\Pictures\0XytwVHS3WE9jtGuuRid6GiP.exeSection loaded: winnsi.dll
                      Source: C:\Users\user\Pictures\0XytwVHS3WE9jtGuuRid6GiP.exeSection loaded: dpapi.dll
                      Source: C:\Users\user\Pictures\0XytwVHS3WE9jtGuuRid6GiP.exeSection loaded: cryptsp.dll
                      Source: C:\Users\user\Pictures\0XytwVHS3WE9jtGuuRid6GiP.exeSection loaded: rsaenh.dll
                      Source: C:\Users\user\Pictures\0XytwVHS3WE9jtGuuRid6GiP.exeSection loaded: cryptbase.dll
                      Source: C:\Users\user\Pictures\0XytwVHS3WE9jtGuuRid6GiP.exeSection loaded: gpapi.dll
                      Source: C:\Users\user\Pictures\0XytwVHS3WE9jtGuuRid6GiP.exeSection loaded: urlmon.dll
                      Source: C:\Users\user\Pictures\0XytwVHS3WE9jtGuuRid6GiP.exeSection loaded: srvcli.dll
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeFile written: C:\Windows\System32\GroupPolicy\gpt.ini
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                      Source: SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeFile opened: C:\Windows\SysWOW64\msvcr100.dll
                      Source: SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: wextract.pdb source: CasPol.exe, 00000003.00000002.3402975175.00000000034A1000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000002.3402975175.00000000034E0000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000002.3402975175.000000000350B000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: C:\rif.pdb source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2160641727.000001C316201000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2137960546.000001C315FF2000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2135746383.000001C315F94000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2138485669.000001C316026000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2137960546.000001C31601A000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: Age does not matchThe module age and .pdb age do not match. source: JIsbjewlnghreiCB15kllzTk.exe, 0000000A.00000002.3312022979.0000000000ACD000.00000040.00000001.01000000.00000008.sdmp, Yz2gr4IqEnTCH1g642bo4hrO.exe, 00000011.00000002.3312662666.0000000000ACD000.00000040.00000001.01000000.0000000F.sdmp, Vh2fqCjm9jPtwuJrcfbbwxLj.exe, 00000018.00000002.3312827601.0000000000ACD000.00000040.00000001.01000000.00000015.sdmp
                      Source: Binary string: PDB not foundUnable to locate the .pdb file in any of the symbol search path locations. source: JIsbjewlnghreiCB15kllzTk.exe, 0000000A.00000002.3312022979.0000000000ACD000.00000040.00000001.01000000.00000008.sdmp, Yz2gr4IqEnTCH1g642bo4hrO.exe, 00000011.00000002.3312662666.0000000000ACD000.00000040.00000001.01000000.0000000F.sdmp, Vh2fqCjm9jPtwuJrcfbbwxLj.exe, 00000018.00000002.3312827601.0000000000ACD000.00000040.00000001.01000000.00000015.sdmp
                      Source: Binary string: c:\srv\slave\workdir\repos\opera\chromium\src\out\Release\installer_lib.dll.pdb source: T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000C.00000002.3392234781.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000E.00000000.1726890164.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000E.00000002.3399654118.000000006BA33000.00000002.00000001.01000000.0000001D.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000002.3407084581.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000001.1826449150.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000002.3322264502.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000001.2105606585.00000000000CA000.00000002.00000001.01000000.00000012.sdmp
                      Source: Binary string: "C:\bazut.pdb source: JPl4ZLOvy3fY5RSXGk5s9Gl5.exe, 00000008.00000002.3336654338.0000000002F57000.00000004.00000020.00020000.00000000.sdmp, JPl4ZLOvy3fY5RSXGk5s9Gl5.exe, 00000008.00000000.1671086635.000000000041A000.00000002.00000001.01000000.00000007.sdmp, XEAazEoSTmJSOa66cXm6S07v.exe, 0000000F.00000002.3379557412.0000000002FE7000.00000004.00000020.00020000.00000000.sdmp, XEAazEoSTmJSOa66cXm6S07v.exe, 0000000F.00000000.1745083887.000000000041A000.00000002.00000001.01000000.0000000D.sdmp, SU1be6oqYDorLkUc1l6IPPFB.exe, 00000017.00000002.3389956114.0000000002FB7000.00000004.00000020.00020000.00000000.sdmp, SU1be6oqYDorLkUc1l6IPPFB.exe, 00000017.00000000.1842263103.000000000041A000.00000002.00000001.01000000.00000014.sdmp
                      Source: Binary string: c:\Users\Admin\documents\visual studio 2015\Projects\Winmon\Release\Winmon.pdb source: JIsbjewlnghreiCB15kllzTk.exe, 0000000A.00000002.3312022979.0000000000843000.00000040.00000001.01000000.00000008.sdmp, Yz2gr4IqEnTCH1g642bo4hrO.exe, 00000011.00000002.3312662666.0000000000843000.00000040.00000001.01000000.0000000F.sdmp
                      Source: Binary string: wextract.pdbH source: CasPol.exe, 00000003.00000002.3402975175.00000000034A1000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000002.3402975175.00000000034E0000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000002.3402975175.000000000350B000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: C:\fidizinuhufi\zicavudojel-cugusanek_gaz.pdb source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2135649699.000001C316201000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: C:\bazut.pdb source: JPl4ZLOvy3fY5RSXGk5s9Gl5.exe, 00000008.00000002.3336654338.0000000002F57000.00000004.00000020.00020000.00000000.sdmp, JPl4ZLOvy3fY5RSXGk5s9Gl5.exe, 00000008.00000000.1671086635.000000000041A000.00000002.00000001.01000000.00000007.sdmp, XEAazEoSTmJSOa66cXm6S07v.exe, 0000000F.00000002.3379557412.0000000002FE7000.00000004.00000020.00020000.00000000.sdmp, XEAazEoSTmJSOa66cXm6S07v.exe, 0000000F.00000000.1745083887.000000000041A000.00000002.00000001.01000000.0000000D.sdmp, SU1be6oqYDorLkUc1l6IPPFB.exe, 00000017.00000002.3389956114.0000000002FB7000.00000004.00000020.00020000.00000000.sdmp, SU1be6oqYDorLkUc1l6IPPFB.exe, 00000017.00000000.1842263103.000000000041A000.00000002.00000001.01000000.00000014.sdmp
                      Source: Binary string: C:\batexozecode 78_gu.pdb source: JIsbjewlnghreiCB15kllzTk.exe, 0000000A.00000000.1682392909.000000000041A000.00000002.00000001.01000000.00000008.sdmp, 7ifrWkUACu1QmnINWqs0eu9h.exe, 0000000B.00000000.1683701177.000000000041A000.00000002.00000001.01000000.00000009.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2188271107.000001C3168EC000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2183852313.000001C31675A000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2171495094.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2187695382.000001C316201000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2175070782.000001C316228000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2201691097.000001C317103000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2177725105.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2204051794.000001C31699F000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2184196785.000001C316271000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2182555067.000001C316622000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2188586155.000001C316738000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2186821319.000001C316273000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2188931136.000001C316B3E000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2189325898.000001C316EB0000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2191286929.000001C316624000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2177566461.000001C316273000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2188346464.000001C316626000.00000004.00000020.00020000.00000000.sdmp, QHuPF3k4no0JL9DdGqDYtkCG.exe, 00000010.00000000.1751272697.000000000041A000.00000002.00000001.01000000.0000000E.sdmp, QHuPF3k4no0JL9DdGqDYtkCG.exe, 00000010.00000002.3350968416.000000000041A000.00000002.00000001.01000000.0000000E.sdmp, Yz2gr4IqEnTCH1g642bo4hrO.exe, 00000011.00000000.1762856940.000000000041A000.00000002.00000001.01000000.0000000F.sdmp, Vh2fqCjm9jPtwuJrcfbbwxLj.exe, 00000018.00000000.1856174156.000000000041A000.00000002.00000001.01000000.00000015.sdmp, PqdYh9kiVSkf3FjC9RDfcS2e.exe, 0000001B.00000002.3326421294.000000000041A000.00000002.00000001.01000000.00000016.sdmp, F6G6Y5cEUOHQw9dTwu4nNoIO.exe, 00000028.00000000.1982328768.000000000041A000.00000002.00000001.01000000.00000020.sdmp
                      Source: Binary string: Error while loading symbolsUnable to locate the .pdb file in any of the symbol search source: JIsbjewlnghreiCB15kllzTk.exe, 0000000A.00000002.3312022979.0000000000ACD000.00000040.00000001.01000000.00000008.sdmp, Yz2gr4IqEnTCH1g642bo4hrO.exe, 00000011.00000002.3312662666.0000000000ACD000.00000040.00000001.01000000.0000000F.sdmp, Vh2fqCjm9jPtwuJrcfbbwxLj.exe, 00000018.00000002.3312827601.0000000000ACD000.00000040.00000001.01000000.00000015.sdmp
                      Source: Binary string: C:\Users\weckb\source\repos\Extension Installer\Extension Installer\obj\x64\Release\Extension Installer.pdb source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2182563385.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2180544126.000001C315F4E000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: C:\Users\Admin\documents\visual studio 2015\Projects\WinmonFS\x64\Release\WinmonFS.pdb source: JIsbjewlnghreiCB15kllzTk.exe, 0000000A.00000002.3312022979.0000000000843000.00000040.00000001.01000000.00000008.sdmp, Yz2gr4IqEnTCH1g642bo4hrO.exe, 00000011.00000002.3312662666.0000000000843000.00000040.00000001.01000000.0000000F.sdmp
                      Source: Binary string: C:\Users\Admin\documents\visual studio 2015\Projects\WinmonFS\Release\WinmonFS.pdb source: JIsbjewlnghreiCB15kllzTk.exe, 0000000A.00000002.3312022979.0000000000843000.00000040.00000001.01000000.00000008.sdmp, Yz2gr4IqEnTCH1g642bo4hrO.exe, 00000011.00000002.3312662666.0000000000843000.00000040.00000001.01000000.0000000F.sdmp
                      Source: Binary string: EfiGuardDxe.pdb source: JIsbjewlnghreiCB15kllzTk.exe, 0000000A.00000002.3312022979.0000000000ACD000.00000040.00000001.01000000.00000008.sdmp, Yz2gr4IqEnTCH1g642bo4hrO.exe, 00000011.00000002.3312662666.0000000000ACD000.00000040.00000001.01000000.0000000F.sdmp, Vh2fqCjm9jPtwuJrcfbbwxLj.exe, 00000018.00000002.3312827601.0000000000ACD000.00000040.00000001.01000000.00000015.sdmp
                      Source: Binary string: C:\Users\admin\source\repos\driver-process-monitor-master\x64\Release\WinmonProcessMonitor.pdb source: JIsbjewlnghreiCB15kllzTk.exe, 0000000A.00000002.3312022979.0000000000843000.00000040.00000001.01000000.00000008.sdmp, Yz2gr4IqEnTCH1g642bo4hrO.exe, 00000011.00000002.3312662666.0000000000843000.00000040.00000001.01000000.0000000F.sdmp
                      Source: Binary string: 2C:\batexozecode 78_gu.pdb source: JIsbjewlnghreiCB15kllzTk.exe, 0000000A.00000000.1682392909.000000000041A000.00000002.00000001.01000000.00000008.sdmp, 7ifrWkUACu1QmnINWqs0eu9h.exe, 0000000B.00000000.1683701177.000000000041A000.00000002.00000001.01000000.00000009.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2188271107.000001C3168EC000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2183852313.000001C31675A000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2171495094.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2187695382.000001C316201000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2175070782.000001C316228000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2201691097.000001C317103000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2177725105.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2204051794.000001C31699F000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2184196785.000001C316271000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2182555067.000001C316622000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2188586155.000001C316738000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2186821319.000001C316273000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2188931136.000001C316B3E000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2189325898.000001C316EB0000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2191286929.000001C316624000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2177566461.000001C316273000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2188346464.000001C316626000.00000004.00000020.00020000.00000000.sdmp, QHuPF3k4no0JL9DdGqDYtkCG.exe, 00000010.00000000.1751272697.000000000041A000.00000002.00000001.01000000.0000000E.sdmp, QHuPF3k4no0JL9DdGqDYtkCG.exe, 00000010.00000002.3350968416.000000000041A000.00000002.00000001.01000000.0000000E.sdmp, Yz2gr4IqEnTCH1g642bo4hrO.exe, 00000011.00000000.1762856940.000000000041A000.00000002.00000001.01000000.0000000F.sdmp, Vh2fqCjm9jPtwuJrcfbbwxLj.exe, 00000018.00000000.1856174156.000000000041A000.00000002.00000001.01000000.00000015.sdmp, PqdYh9kiVSkf3FjC9RDfcS2e.exe, 0000001B.00000002.3326421294.000000000041A000.00000002.00000001.01000000.00000016.sdmp, F6G6Y5cEUOHQw9dTwu4nNoIO.exe, 00000028.00000000.1982328768.000000000041A000.00000002.00000001.01000000.00000020.sdmp
                      Source: Binary string: Signature does not matchThe module signature does not match with .pdb signature source: JIsbjewlnghreiCB15kllzTk.exe, 0000000A.00000002.3312022979.0000000000ACD000.00000040.00000001.01000000.00000008.sdmp, Yz2gr4IqEnTCH1g642bo4hrO.exe, 00000011.00000002.3312662666.0000000000ACD000.00000040.00000001.01000000.0000000F.sdmp, Vh2fqCjm9jPtwuJrcfbbwxLj.exe, 00000018.00000002.3312827601.0000000000ACD000.00000040.00000001.01000000.00000015.sdmp
                      Source: Binary string: H,C:\rif.pdb source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2160641727.000001C316201000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2137960546.000001C315FF2000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2135746383.000001C315F94000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2138485669.000001C316026000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2137960546.000001C31601A000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: dbghelp.pdb source: JIsbjewlnghreiCB15kllzTk.exe, 0000000A.00000002.3312022979.0000000000ACD000.00000040.00000001.01000000.00000008.sdmp, Yz2gr4IqEnTCH1g642bo4hrO.exe, 00000011.00000002.3312662666.0000000000ACD000.00000040.00000001.01000000.0000000F.sdmp, Vh2fqCjm9jPtwuJrcfbbwxLj.exe, 00000018.00000002.3312827601.0000000000ACD000.00000040.00000001.01000000.00000015.sdmp
                      Source: Binary string: dbghelp.pdbGCTL source: JIsbjewlnghreiCB15kllzTk.exe, 0000000A.00000002.3312022979.0000000000ACD000.00000040.00000001.01000000.00000008.sdmp, Yz2gr4IqEnTCH1g642bo4hrO.exe, 00000011.00000002.3312662666.0000000000ACD000.00000040.00000001.01000000.0000000F.sdmp, Vh2fqCjm9jPtwuJrcfbbwxLj.exe, 00000018.00000002.3312827601.0000000000ACD000.00000040.00000001.01000000.00000015.sdmp
                      Source: Binary string: Loader.pdb source: JIsbjewlnghreiCB15kllzTk.exe, 0000000A.00000002.3312022979.0000000000843000.00000040.00000001.01000000.00000008.sdmp, Yz2gr4IqEnTCH1g642bo4hrO.exe, 00000011.00000002.3312662666.0000000000843000.00000040.00000001.01000000.0000000F.sdmp
                      Source: Binary string: EfiGuardDxe.pdb7 source: QHuPF3k4no0JL9DdGqDYtkCG.exe, 00000010.00000002.3380053915.0000000004D40000.00000040.00000020.00020000.00000000.sdmp
                      Source: Binary string: c:\srv\slave\workdir\repos\opera\chromium\src\out\Release\installer.exe.pdb source: T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000C.00000002.3388944185.0000000000FC7000.00000002.00000001.01000000.0000000A.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000C.00000000.1698025861.0000000000FC7000.00000002.00000001.01000000.0000000A.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000E.00000002.3351524981.0000000000FC7000.00000002.00000001.01000000.0000000A.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000E.00000000.1720567697.0000000000FC7000.00000002.00000001.01000000.0000000A.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000000.1821750116.00000000000B7000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000002.3404841613.00000000000B7000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000000.1855030242.00000000000B7000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000002.3322123823.00000000000B7000.00000002.00000001.01000000.00000012.sdmp
                      Source: Binary string: Unrecognized pdb formatThis error indicates attempting to access a .pdb file with source: JIsbjewlnghreiCB15kllzTk.exe, 0000000A.00000002.3312022979.0000000000ACD000.00000040.00000001.01000000.00000008.sdmp, Yz2gr4IqEnTCH1g642bo4hrO.exe, 00000011.00000002.3312662666.0000000000ACD000.00000040.00000001.01000000.0000000F.sdmp, Vh2fqCjm9jPtwuJrcfbbwxLj.exe, 00000018.00000002.3312827601.0000000000ACD000.00000040.00000001.01000000.00000015.sdmp
                      Source: Binary string: A connection with the server could not be establishedAn extended error was returned from the WinHttp serverThe .pdb file is probably no longer indexed in the symbol server share location. source: JIsbjewlnghreiCB15kllzTk.exe, 0000000A.00000002.3312022979.0000000000ACD000.00000040.00000001.01000000.00000008.sdmp, Yz2gr4IqEnTCH1g642bo4hrO.exe, 00000011.00000002.3312662666.0000000000ACD000.00000040.00000001.01000000.0000000F.sdmp, Vh2fqCjm9jPtwuJrcfbbwxLj.exe, 00000018.00000002.3312827601.0000000000ACD000.00000040.00000001.01000000.00000015.sdmp
                      Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxzip32\Release\sfxzip.pdb source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2137349849.000001C316273000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2137178358.000001C316026000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2135746383.000001C315F94000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2135746383.000001C31601A000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2137349849.000001C316201000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2137687774.000001C316273000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: Cvinfo is corruptThe .pdb file contains a corrupted debug codeview information. source: JIsbjewlnghreiCB15kllzTk.exe, 0000000A.00000002.3312022979.0000000000ACD000.00000040.00000001.01000000.00000008.sdmp, Yz2gr4IqEnTCH1g642bo4hrO.exe, 00000011.00000002.3312662666.0000000000ACD000.00000040.00000001.01000000.0000000F.sdmp, Vh2fqCjm9jPtwuJrcfbbwxLj.exe, 00000018.00000002.3312827601.0000000000ACD000.00000040.00000001.01000000.00000015.sdmp
                      Source: Binary string: Downloading symbols for [%s] %ssrv*symsrv*http://https://_bad_pdb_file.pdb source: JIsbjewlnghreiCB15kllzTk.exe, 0000000A.00000002.3312022979.0000000000ACD000.00000040.00000001.01000000.00000008.sdmp, Yz2gr4IqEnTCH1g642bo4hrO.exe, 00000011.00000002.3312662666.0000000000ACD000.00000040.00000001.01000000.0000000F.sdmp, Vh2fqCjm9jPtwuJrcfbbwxLj.exe, 00000018.00000002.3312827601.0000000000ACD000.00000040.00000001.01000000.00000015.sdmp
                      Source: Binary string: The symbol server has never indexed any version of this symbol fileNo version of the .pdb file with the given name has ever been registered. source: JIsbjewlnghreiCB15kllzTk.exe, 0000000A.00000002.3312022979.0000000000ACD000.00000040.00000001.01000000.00000008.sdmp, Yz2gr4IqEnTCH1g642bo4hrO.exe, 00000011.00000002.3312662666.0000000000ACD000.00000040.00000001.01000000.0000000F.sdmp, Vh2fqCjm9jPtwuJrcfbbwxLj.exe, 00000018.00000002.3312827601.0000000000ACD000.00000040.00000001.01000000.00000015.sdmp
                      Source: Binary string: C:\sez\cekeber\cevevas.pdb source: JPl4ZLOvy3fY5RSXGk5s9Gl5.exe, 00000008.00000002.3342119410.0000000004A10000.00000004.00000020.00020000.00000000.sdmp, XEAazEoSTmJSOa66cXm6S07v.exe, 0000000F.00000002.3404845206.0000000004B20000.00000004.00000020.00020000.00000000.sdmp, SU1be6oqYDorLkUc1l6IPPFB.exe, 00000017.00000002.3408267639.0000000004B60000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: C:\xudiwojabogaji\pixev41 ru.pdb source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2180979215.000001C31606C000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2180871105.000001C316233000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2180696167.000001C31629B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2180696167.000001C316273000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2183857159.000001C3162BF000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: C:\vbox\branch\w64-1.6\out\win.amd64\release\obj\src\VBox\HostDrivers\VBoxDrv\VBoxDrv.pdb source: JIsbjewlnghreiCB15kllzTk.exe, 0000000A.00000002.3312022979.0000000000843000.00000040.00000001.01000000.00000008.sdmp, Yz2gr4IqEnTCH1g642bo4hrO.exe, 00000011.00000002.3312662666.0000000000843000.00000040.00000001.01000000.0000000F.sdmp
                      Source: Binary string: c:\Users\Admin\documents\visual studio 2015\Projects\Winmon\x64\Release\Winmon.pdb source: JIsbjewlnghreiCB15kllzTk.exe, 0000000A.00000002.3312022979.0000000000843000.00000040.00000001.01000000.00000008.sdmp, Yz2gr4IqEnTCH1g642bo4hrO.exe, 00000011.00000002.3312662666.0000000000843000.00000040.00000001.01000000.0000000F.sdmp
                      Source: Binary string: Drive not readyThis error indicates a .pdb file related failure. source: JIsbjewlnghreiCB15kllzTk.exe, 0000000A.00000002.3312022979.0000000000ACD000.00000040.00000001.01000000.00000008.sdmp, Yz2gr4IqEnTCH1g642bo4hrO.exe, 00000011.00000002.3312662666.0000000000ACD000.00000040.00000001.01000000.0000000F.sdmp, Vh2fqCjm9jPtwuJrcfbbwxLj.exe, 00000018.00000002.3312827601.0000000000ACD000.00000040.00000001.01000000.00000015.sdmp
                      Source: Binary string: zzz_AsmCodeRange_*FrameDatainvalid string positionstring too long.pdb source: JIsbjewlnghreiCB15kllzTk.exe, 0000000A.00000002.3312022979.0000000000ACD000.00000040.00000001.01000000.00000008.sdmp, Yz2gr4IqEnTCH1g642bo4hrO.exe, 00000011.00000002.3312662666.0000000000ACD000.00000040.00000001.01000000.0000000F.sdmp, Vh2fqCjm9jPtwuJrcfbbwxLj.exe, 00000018.00000002.3312827601.0000000000ACD000.00000040.00000001.01000000.00000015.sdmp
                      Source: Binary string: Pdb read access deniedYou may be attempting to access a .pdb file with read-only attributes source: JIsbjewlnghreiCB15kllzTk.exe, 0000000A.00000002.3312022979.0000000000ACD000.00000040.00000001.01000000.00000008.sdmp, Yz2gr4IqEnTCH1g642bo4hrO.exe, 00000011.00000002.3312662666.0000000000ACD000.00000040.00000001.01000000.0000000F.sdmp, Vh2fqCjm9jPtwuJrcfbbwxLj.exe, 00000018.00000002.3312827601.0000000000ACD000.00000040.00000001.01000000.00000015.sdmp
                      Source: Binary string: Unable to locate the .pdb file in this location source: JIsbjewlnghreiCB15kllzTk.exe, 0000000A.00000002.3312022979.0000000000ACD000.00000040.00000001.01000000.00000008.sdmp, Yz2gr4IqEnTCH1g642bo4hrO.exe, 00000011.00000002.3312662666.0000000000ACD000.00000040.00000001.01000000.0000000F.sdmp, Vh2fqCjm9jPtwuJrcfbbwxLj.exe, 00000018.00000002.3312827601.0000000000ACD000.00000040.00000001.01000000.00000015.sdmp
                      Source: Binary string: The module signature does not match with .pdb signature. source: JIsbjewlnghreiCB15kllzTk.exe, 0000000A.00000002.3312022979.0000000000ACD000.00000040.00000001.01000000.00000008.sdmp, Yz2gr4IqEnTCH1g642bo4hrO.exe, 00000011.00000002.3312662666.0000000000ACD000.00000040.00000001.01000000.0000000F.sdmp, Vh2fqCjm9jPtwuJrcfbbwxLj.exe, 00000018.00000002.3312827601.0000000000ACD000.00000040.00000001.01000000.00000015.sdmp
                      Source: Binary string: .pdb.dbg source: JIsbjewlnghreiCB15kllzTk.exe, 0000000A.00000002.3312022979.0000000000ACD000.00000040.00000001.01000000.00000008.sdmp, Yz2gr4IqEnTCH1g642bo4hrO.exe, 00000011.00000002.3312662666.0000000000ACD000.00000040.00000001.01000000.0000000F.sdmp, Vh2fqCjm9jPtwuJrcfbbwxLj.exe, 00000018.00000002.3312827601.0000000000ACD000.00000040.00000001.01000000.00000015.sdmp
                      Source: Binary string: '(EfiGuardDxe.pdbx source: JIsbjewlnghreiCB15kllzTk.exe, 0000000A.00000002.3312022979.0000000000ACD000.00000040.00000001.01000000.00000008.sdmp, Yz2gr4IqEnTCH1g642bo4hrO.exe, 00000011.00000002.3312662666.0000000000ACD000.00000040.00000001.01000000.0000000F.sdmp, Vh2fqCjm9jPtwuJrcfbbwxLj.exe, 00000018.00000002.3312827601.0000000000ACD000.00000040.00000001.01000000.00000015.sdmp
                      Source: Binary string: C:\Users\admin\source\repos\driver-process-monitor-master\Release\WinmonProcessMonitor.pdb source: JIsbjewlnghreiCB15kllzTk.exe, 0000000A.00000002.3312022979.0000000000843000.00000040.00000001.01000000.00000008.sdmp, Yz2gr4IqEnTCH1g642bo4hrO.exe, 00000011.00000002.3312662666.0000000000843000.00000040.00000001.01000000.0000000F.sdmp
                      Source: Binary string: C:\sez\cekeber\cevevas.pdb source: JPl4ZLOvy3fY5RSXGk5s9Gl5.exe, 00000008.00000002.3342119410.0000000004A10000.00000004.00000020.00020000.00000000.sdmp, XEAazEoSTmJSOa66cXm6S07v.exe, 0000000F.00000002.3404845206.0000000004B20000.00000004.00000020.00020000.00000000.sdmp, SU1be6oqYDorLkUc1l6IPPFB.exe, 00000017.00000002.3408267639.0000000004B60000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: BackgroundTransferHost.pdb source: wjaGPzkDQjpdcbjBR9AwSFKW.exe, 00000016.00000003.1995933643.0000000002043000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: or you do not have access permission to the .pdb location. source: JIsbjewlnghreiCB15kllzTk.exe, 0000000A.00000002.3312022979.0000000000ACD000.00000040.00000001.01000000.00000008.sdmp, Yz2gr4IqEnTCH1g642bo4hrO.exe, 00000011.00000002.3312662666.0000000000ACD000.00000040.00000001.01000000.0000000F.sdmp, Vh2fqCjm9jPtwuJrcfbbwxLj.exe, 00000018.00000002.3312827601.0000000000ACD000.00000040.00000001.01000000.00000015.sdmp
                      Source: Binary string: XC:\xudiwojabogaji\pixev41 ru.pdb source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2180979215.000001C31606C000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2180871105.000001C316233000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2180696167.000001C31629B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2180696167.000001C316273000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2183857159.000001C3162BF000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: BackgroundTransferHost.pdbGCTL source: wjaGPzkDQjpdcbjBR9AwSFKW.exe, 00000016.00000003.1995933643.0000000002043000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: An Exception happened while downloading the module .pdbPlease open a bug if this is a consistent repro. source: JIsbjewlnghreiCB15kllzTk.exe, 0000000A.00000002.3312022979.0000000000ACD000.00000040.00000001.01000000.00000008.sdmp, Yz2gr4IqEnTCH1g642bo4hrO.exe, 00000011.00000002.3312662666.0000000000ACD000.00000040.00000001.01000000.0000000F.sdmp, Vh2fqCjm9jPtwuJrcfbbwxLj.exe, 00000018.00000002.3312827601.0000000000ACD000.00000040.00000001.01000000.00000015.sdmp
                      Source: Binary string: GC:\fidizinuhufi\zicavudojel-cugusanek_gaz.pdb source: KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2135649699.000001C316201000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: AppVShNotify.pdb source: wjaGPzkDQjpdcbjBR9AwSFKW.exe, 00000016.00000003.1995933643.0000000002043000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: c:\srv\slave\workdir\repos\opera\chromium\src\out\Release\installer.exe.pdb@ source: T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000C.00000002.3388944185.0000000000FC7000.00000002.00000001.01000000.0000000A.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000C.00000000.1698025861.0000000000FC7000.00000002.00000001.01000000.0000000A.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000E.00000002.3351524981.0000000000FC7000.00000002.00000001.01000000.0000000A.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000E.00000000.1720567697.0000000000FC7000.00000002.00000001.01000000.0000000A.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000000.1821750116.00000000000B7000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000002.3404841613.00000000000B7000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000000.1855030242.00000000000B7000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000002.3322123823.00000000000B7000.00000002.00000001.01000000.00000012.sdmp
                      Source: Binary string: AppVShNotify.pdbGCTL source: wjaGPzkDQjpdcbjBR9AwSFKW.exe, 00000016.00000003.1995933643.0000000002043000.00000004.00000020.00020000.00000000.sdmp

                      Data Obfuscation

                      barindex
                      Detected unpacking (changes PE section rights)
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeUnpacked PE file: 8.2.JPl4ZLOvy3fY5RSXGk5s9Gl5.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
                      Source: C:\Users\user\Pictures\JIsbjewlnghreiCB15kllzTk.exeUnpacked PE file: 10.2.JIsbjewlnghreiCB15kllzTk.exe.400000.4.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.idata:W;.reloc:R;.symtab:R;
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeUnpacked PE file: 15.2.XEAazEoSTmJSOa66cXm6S07v.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
                      Source: C:\Users\user\Pictures\Yz2gr4IqEnTCH1g642bo4hrO.exeUnpacked PE file: 17.2.Yz2gr4IqEnTCH1g642bo4hrO.exe.400000.5.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.idata:W;.reloc:R;.symtab:R;
                      Source: C:\Users\user\Pictures\SU1be6oqYDorLkUc1l6IPPFB.exeUnpacked PE file: 23.2.SU1be6oqYDorLkUc1l6IPPFB.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
                      Source: C:\Users\user\Pictures\Vh2fqCjm9jPtwuJrcfbbwxLj.exeUnpacked PE file: 24.2.Vh2fqCjm9jPtwuJrcfbbwxLj.exe.400000.6.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.idata:W;.reloc:R;.symtab:R;
                      Detected unpacking (overwrites its own PE header)
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeUnpacked PE file: 8.2.JPl4ZLOvy3fY5RSXGk5s9Gl5.exe.400000.0.unpack
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeUnpacked PE file: 15.2.XEAazEoSTmJSOa66cXm6S07v.exe.400000.0.unpack
                      Source: C:\Users\user\Pictures\SU1be6oqYDorLkUc1l6IPPFB.exeUnpacked PE file: 23.2.SU1be6oqYDorLkUc1l6IPPFB.exe.400000.0.unpack
                      .NET source code contains potential unpacker
                      Source: SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exe, GetConfigurationVariablesPrint.cs.Net Code: QueueNativeOverlappedDefineDynamicAssembly
                      Source: C:\Users\user\Pictures\T2RIU3FpH6dczIGTG32vuvvE.exeCode function: 14_2_6B906BE0 LoadLibraryW,GetProcAddress,14_2_6B906BE0
                      Source: initial sampleStatic PE information: section where entry point is pointing to: .vmp#V
                      Source: i3cGHUfhs02OIuQ54eKiruit.exe.3.drStatic PE information: real checksum: 0x5328d2 should be: 0x5329c7
                      Source: EVcXAn6aSSI07ttXmnvL0m1a.exe.3.drStatic PE information: real checksum: 0x71d4e should be: 0x71d51
                      Source: oE07FMGKijbqRxoSOEfcVNr4.exe.3.drStatic PE information: real checksum: 0x43d14b should be: 0x434bf1
                      Source: Tp59u6n2uhrgw2uPRJT1mo4o.exe.3.drStatic PE information: real checksum: 0x71d4e should be: 0x71d51
                      Source: Ckxihb2NQynZLzb7wQqDjQv3.exe.3.drStatic PE information: real checksum: 0x71d4e should be: 0x71d51
                      Source: TxcN817CnpQUUQpmxVzV0mFT.exe.3.drStatic PE information: real checksum: 0x43d14b should be: 0x434bf1
                      Source: UZEIOb5AJt4PKuFpMNcUE5kB.exe.3.drStatic PE information: real checksum: 0x43d14b should be: 0x434bf1
                      Source: JIsbjewlnghreiCB15kllzTk.exe.3.drStatic PE information: real checksum: 0x43d14b should be: 0x434bf1
                      Source: LLoAVhqqC3TlPmj3xeFbhIJr.exe.3.drStatic PE information: real checksum: 0x5328d2 should be: 0x5329c7
                      Source: T2RIU3FpH6dczIGTG32vuvvE.exe.3.drStatic PE information: real checksum: 0x525c11 should be: 0x525d06
                      Source: Obg7n5Z5efoxTsQrcye3Rd29.exe.3.drStatic PE information: real checksum: 0x43d14b should be: 0x434bf1
                      Source: ydXU53ROIY0b9rjoj3B1m3C2.exe.3.drStatic PE information: real checksum: 0x71d4e should be: 0x71d51
                      Source: 5CSwXytovRGWzicTtxKeyiOA.exe.3.drStatic PE information: real checksum: 0x43d14b should be: 0x434bf1
                      Source: QKDjQ5sBUXPsok7hLKm8Jxa7.exe.3.drStatic PE information: real checksum: 0x43d14b should be: 0x434bf1
                      Source: D0v59fae1RRLyzPSbsQoGGZK.exe.3.drStatic PE information: real checksum: 0x43d14b should be: 0x434bf1
                      Source: 7ifrWkUACu1QmnINWqs0eu9h.exe.3.drStatic PE information: real checksum: 0x43d14b should be: 0x434bf1
                      Source: Pn5ZHf0b4pBQKwEbywjz1WNa.exe.3.drStatic PE information: real checksum: 0x71d4e should be: 0x71d51
                      Source: JPl4ZLOvy3fY5RSXGk5s9Gl5.exe.3.drStatic PE information: real checksum: 0x71d4e should be: 0x71d51
                      Source: 4zJ5E9cuigEXwPfwJBBf2Voo.exe.3.drStatic PE information: real checksum: 0x43d14b should be: 0x434bf1
                      Source: Q1ZjqgqRF9GO7rx2KZzJIL2b.exe.3.drStatic PE information: real checksum: 0x43d14b should be: 0x434bf1
                      Source: KZrOTs6FcYbq3nj2hpYsaJil.exe.3.drStatic PE information: real checksum: 0x43d14b should be: 0x434bf1
                      Source: N96vu2CQjxii1alDjKixgxro.exe.3.drStatic PE information: real checksum: 0x71d4e should be: 0x71d51
                      Source: x6grxPSTyIeA8EPDMgptrwYO.exe.3.drStatic PE information: real checksum: 0x525c11 should be: 0x525d06
                      Source: WIPtBriceCKAWgIcBS0bein0.exe.3.drStatic PE information: real checksum: 0x43d14b should be: 0x434bf1
                      Source: GNcg3yiDrmzw07ZdoxfNbs1v.exe.3.drStatic PE information: section name: _RDATA
                      Source: GNcg3yiDrmzw07ZdoxfNbs1v.exe.3.drStatic PE information: section name: .N
                      Source: GNcg3yiDrmzw07ZdoxfNbs1v.exe.3.drStatic PE information: section name: .N
                      Source: GNcg3yiDrmzw07ZdoxfNbs1v.exe.3.drStatic PE information: section name: .vmp#V
                      Source: GNcg3yiDrmzw07ZdoxfNbs1v.exe.3.drStatic PE information: section name: .vmp#V
                      Source: GNcg3yiDrmzw07ZdoxfNbs1v.exe.3.drStatic PE information: section name: .vmp#V
                      Source: MphEWivXVroFMrkzyLgmuj2t.exe.3.drStatic PE information: section name: _RDATA
                      Source: MphEWivXVroFMrkzyLgmuj2t.exe.3.drStatic PE information: section name: .N
                      Source: MphEWivXVroFMrkzyLgmuj2t.exe.3.drStatic PE information: section name: .N
                      Source: MphEWivXVroFMrkzyLgmuj2t.exe.3.drStatic PE information: section name: .vmp#V
                      Source: MphEWivXVroFMrkzyLgmuj2t.exe.3.drStatic PE information: section name: .vmp#V
                      Source: MphEWivXVroFMrkzyLgmuj2t.exe.3.drStatic PE information: section name: .vmp#V
                      Source: N9QaRzQ0AfOLtw4JsIq3BGlx.exe.3.drStatic PE information: section name: _RDATA
                      Source: N9QaRzQ0AfOLtw4JsIq3BGlx.exe.3.drStatic PE information: section name: .N
                      Source: N9QaRzQ0AfOLtw4JsIq3BGlx.exe.3.drStatic PE information: section name: .N
                      Source: N9QaRzQ0AfOLtw4JsIq3BGlx.exe.3.drStatic PE information: section name: .vmp#V
                      Source: N9QaRzQ0AfOLtw4JsIq3BGlx.exe.3.drStatic PE information: section name: .vmp#V
                      Source: N9QaRzQ0AfOLtw4JsIq3BGlx.exe.3.drStatic PE information: section name: .vmp#V
                      Source: dhes16NzxQrsGp1NLOpKhYEG.exe.3.drStatic PE information: section name: _RDATA
                      Source: dhes16NzxQrsGp1NLOpKhYEG.exe.3.drStatic PE information: section name: .N
                      Source: dhes16NzxQrsGp1NLOpKhYEG.exe.3.drStatic PE information: section name: .N
                      Source: dhes16NzxQrsGp1NLOpKhYEG.exe.3.drStatic PE information: section name: .vmp#V
                      Source: dhes16NzxQrsGp1NLOpKhYEG.exe.3.drStatic PE information: section name: .vmp#V
                      Source: dhes16NzxQrsGp1NLOpKhYEG.exe.3.drStatic PE information: section name: .vmp#V
                      Source: si8fAgQZyD6Cx4plDNMQadak.exe.3.drStatic PE information: section name: _RDATA
                      Source: si8fAgQZyD6Cx4plDNMQadak.exe.3.drStatic PE information: section name: .N
                      Source: si8fAgQZyD6Cx4plDNMQadak.exe.3.drStatic PE information: section name: .N
                      Source: si8fAgQZyD6Cx4plDNMQadak.exe.3.drStatic PE information: section name: .vmp#V
                      Source: si8fAgQZyD6Cx4plDNMQadak.exe.3.drStatic PE information: section name: .vmp#V
                      Source: si8fAgQZyD6Cx4plDNMQadak.exe.3.drStatic PE information: section name: .vmp#V
                      Source: xWO4HdGMj74aDnNwcibeJHOS.exe.3.drStatic PE information: section name: _RDATA
                      Source: xWO4HdGMj74aDnNwcibeJHOS.exe.3.drStatic PE information: section name: .N
                      Source: xWO4HdGMj74aDnNwcibeJHOS.exe.3.drStatic PE information: section name: .N
                      Source: xWO4HdGMj74aDnNwcibeJHOS.exe.3.drStatic PE information: section name: .vmp#V
                      Source: xWO4HdGMj74aDnNwcibeJHOS.exe.3.drStatic PE information: section name: .vmp#V
                      Source: xWO4HdGMj74aDnNwcibeJHOS.exe.3.drStatic PE information: section name: .vmp#V
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe.3.drStatic PE information: section name: _RDATA
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe.3.drStatic PE information: section name: .N
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe.3.drStatic PE information: section name: .N
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe.3.drStatic PE information: section name: .vmp#V
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe.3.drStatic PE information: section name: .vmp#V
                      Source: KI5P6OyhHMwNaNA4w0xtd3UY.exe.3.drStatic PE information: section name: .vmp#V
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeCode function: 0_2_00007FFD9B887963 push ebx; retf 0_2_00007FFD9B88796A
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeCode function: 0_2_00007FFD9B8800BD pushad ; iretd 0_2_00007FFD9B8800C1
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeCode function: 0_2_00007FFD9B96026B push esp; retf 4810h0_2_00007FFD9B960312
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCode function: 8_2_0042D355 push esi; ret 8_2_0042D35E
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCode function: 8_2_00427488 push eax; ret 8_2_004274A6
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCode function: 8_2_00409D06 push ecx; ret 8_2_00409D19
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCode function: 8_2_004097B6 push ecx; ret 8_2_004097C9
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCode function: 8_2_02F253B7 push ebp; iretd 8_2_02F253EA
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCode function: 8_2_02F21091 pushad ; retf 8_2_02F21092
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCode function: 8_2_02F23945 pushad ; retf 8_2_02F2394C
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCode function: 8_2_02F2211D push ecx; iretd 8_2_02F2212F
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCode function: 8_2_02F2362F push 2B991403h; ret 8_2_02F23636
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCode function: 8_2_02F23F54 push 00000061h; retf 8_2_02F23F5C
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCode function: 8_2_049C76EF push eax; ret 8_2_049C770D
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCode function: 8_2_049A9F6D push ecx; ret 8_2_049A9F80
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCode function: 8_2_049BC9FD push esp; retf 8_2_049BC9FE
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCode function: 8_2_049A9A1D push ecx; ret 8_2_049A9A30
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCode function: 8_2_049BC3FF push esp; retf 8_2_049BC407
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCode function: 8_2_049C1B72 push dword ptr [esp+ecx-75h]; iretd 8_2_049C1B76
                      Source: C:\Users\user\Pictures\T2RIU3FpH6dczIGTG32vuvvE.exeCode function: 14_2_6B9A495B push ecx; ret 14_2_6B9A496E
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCode function: 15_2_0042D355 push esi; ret 15_2_0042D35E
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCode function: 15_2_00427488 push eax; ret 15_2_004274A6
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCode function: 15_2_00409D06 push ecx; ret 15_2_00409D19
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCode function: 15_2_004097B6 push ecx; ret 15_2_004097C9
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCode function: 15_2_02ED9A1D push ecx; ret 15_2_02ED9A30
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCode function: 15_2_02EEC3FF push esp; retf 15_2_02EEC407
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCode function: 15_2_02EF1B72 push dword ptr [esp+ecx-75h]; iretd 15_2_02EF1B76
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCode function: 15_2_02EEC9FD push esp; retf 15_2_02EEC9FE
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCode function: 15_2_02EF76EF push eax; ret 15_2_02EF770D
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCode function: 15_2_02ED9F6D push ecx; ret 15_2_02ED9F80
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCode function: 15_2_02FB51DF push ebp; iretd 15_2_02FB5212

                      Persistence and Installation Behavior

                      barindex
                      Drops PE files to the document folder of the user
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeFile created: C:\Users\user\Documents\SimpleAdobe\xFUB9mqMmDXHB6bYEudfe3bz.exeJump to dropped file
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeFile created: C:\Users\user\Documents\SimpleAdobe\tk993DcPKxGC0yxEJOpWA4Uq.exeJump to dropped file
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeFile created: C:\Users\user\Documents\SimpleAdobe\YEB6goJ_QRA9Ek_PBrASrKDk.exeJump to dropped file
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeFile created: C:\Users\user\Documents\SimpleAdobe\BuKYLuXtWRFvMUw4E6QMnePB.exeJump to dropped file
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeFile created: C:\Users\user\Documents\SimpleAdobe\e5ADH4rW9PcD5gtgsREzjuVn.exeJump to dropped file
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeFile created: C:\Users\user\Documents\SimpleAdobe\jQql7MG2XChbxjQ6gNLJX8a8.exeJump to dropped file
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeFile created: C:\Users\user\Documents\SimpleAdobe\zfmWdTyj1A0x7CDHTSCFc6P6.exeJump to dropped file
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeFile created: C:\Users\user\Documents\SimpleAdobe\UEaGlypujmRvmbw2BfkfATn6.exeJump to dropped file
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeFile created: C:\Users\user\Documents\SimpleAdobe\mglK9j1udRLIlNMmqHDs89S5.exeJump to dropped file
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeFile created: C:\Users\user\Documents\SimpleAdobe\bLSHn6d_smbEd3DDHsdhdb9F.exeJump to dropped file
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeFile created: C:\Users\user\Documents\SimpleAdobe\8lBOtksKAFB83rUCOP3QmQ2e.exeJump to dropped file
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeFile created: C:\Users\user\Documents\SimpleAdobe\N3dNHH1i3277Gfb9sVdhVcr5.exeJump to dropped file
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeFile created: C:\Users\user\Documents\SimpleAdobe\poDcVPAkLsUtWqX_rqUuGuhg.exeJump to dropped file
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeFile created: C:\Users\user\Documents\SimpleAdobe\iTHBJLcts9pEuoqVNgU3srbu.exeJump to dropped file
                      Source: C:\Users\user\Pictures\T2RIU3FpH6dczIGTG32vuvvE.exeFile created: C:\Users\user\AppData\Local\Temp\Opera_installer_2404180036143868168.dllJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\Pictures\3wiDjAuNAMEeKc2Sp8AJvkHN.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\Pictures\Zo2cLek54856t9hHiM76hOvA.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\Pictures\KAKoKagL31aeT9tvPuu3L1bc.exeJump to dropped file
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeFile created: C:\Users\user\Documents\SimpleAdobe\jQql7MG2XChbxjQ6gNLJX8a8.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\Pictures\VZQMh0fhaUDqSIPOKlnYI2fB.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\Pictures\dhes16NzxQrsGp1NLOpKhYEG.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\Pictures\ySa0tmdKXLMzZNFqxzPk3yl0.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\Pictures\Q1ZjqgqRF9GO7rx2KZzJIL2b.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Local\31Q0tfhZ3ZbBeSnpH53Q6cmR.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\Pictures\MphEWivXVroFMrkzyLgmuj2t.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Local\cOM8IUNCP0DFnISRQRmA27gl.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Local\nRdMq8uD8Vn50SShh8GGGF1J.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\Pictures\JIsbjewlnghreiCB15kllzTk.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Local\iZp2NZRM4fCHBLrmfY5yxs4H.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Local\BScYPWRXjjJsm0UZKd8ZE404.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Local\KV2qLRPax2onnz5Ndu1Z5G5q.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\Pictures\fBaSCDbc3PgwiKtKElJM21wM.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\Pictures\EVcXAn6aSSI07ttXmnvL0m1a.exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\T2RIU3FpH6dczIGTG32vuvvE.exeFile created: C:\Users\user\AppData\Local\Temp\Opera_installer_2404180036248045740.dllJump to dropped file
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeFile created: C:\Users\user\Documents\SimpleAdobe\e5ADH4rW9PcD5gtgsREzjuVn.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Local\ydXU53ROIY0b9rjoj3B1m3C2.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Local\GNcg3yiDrmzw07ZdoxfNbs1v.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\Pictures\Yz2gr4IqEnTCH1g642bo4hrO.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\Pictures\QKDjQ5sBUXPsok7hLKm8Jxa7.exeJump to dropped file
                      Source: C:\Users\user\Pictures\kuRSiZPmKhbW1guMqYXCvrAu.exeFile created: C:\Users\user\AppData\Local\Temp\Opera_installer_2404180036332806404.dllJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\Pictures\v2MiP1iSJrMhmInOYy5QW224.exeJump to dropped file
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\Extension__Installer[1].exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Local\Ckxihb2NQynZLzb7wQqDjQv3.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\Pictures\IWT1vUWgcWghP1zoHHmuoKa9.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Local\iUqjJmkpzyvK9tYYVEHTZp1W.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\Pictures\HmEe3wDzeiBBjESYuBab3Xp4.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Local\7cokQoA6j0WDpV84Xp72tQca.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Local\TxcN817CnpQUUQpmxVzV0mFT.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Local\JeZCwGu4yuVGGxFvnw3BIkJ1.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\Pictures\mm4Q31XfpYKjbn6ceSwXhER9.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Local\f0h4XS72dTppZnfmwBjhUBEA.exeJump to dropped file
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeFile created: C:\Users\user\Documents\SimpleAdobe\N3dNHH1i3277Gfb9sVdhVcr5.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\Pictures\wjaGPzkDQjpdcbjBR9AwSFKW.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Local\xWO4HdGMj74aDnNwcibeJHOS.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Local\A6zIGniAZ7NEfPoGNA99xdJC.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\Pictures\0XytwVHS3WE9jtGuuRid6GiP.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\Pictures\F6G6Y5cEUOHQw9dTwu4nNoIO.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeJump to dropped file
                      Source: C:\Users\user\Pictures\wjaGPzkDQjpdcbjBR9AwSFKW.exeFile created: C:\Users\user\AppData\Local\Temp\7zS2746.tmp\browserexport.exeJump to dropped file
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeFile created: C:\Users\user\Documents\SimpleAdobe\BuKYLuXtWRFvMUw4E6QMnePB.exeJump to dropped file
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\060[1].exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\Pictures\SU1be6oqYDorLkUc1l6IPPFB.exeJump to dropped file
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeFile created: C:\Users\user\AppData\Local\Temp\u224.1.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\Pictures\UIlweOQ5afwPPuh3ds8U6N2a.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Local\AO0lQiXja0SJ1xVYKQpJ0RgU.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Local\N96vu2CQjxii1alDjKixgxro.exeJump to dropped file
                      Source: C:\Users\user\Pictures\wjaGPzkDQjpdcbjBR9AwSFKW.exeFile created: C:\Users\user\AppData\Local\Temp\7zS2746.tmp\Install.exeJump to dropped file
                      Source: C:\Users\user\Pictures\T2RIU3FpH6dczIGTG32vuvvE.exeFile created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\T2RIU3FpH6dczIGTG32vuvvE.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\Pictures\remGzM3ucI0rwNvHqGHEYSnk.exeJump to dropped file
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeFile created: C:\Users\user\Documents\SimpleAdobe\iTHBJLcts9pEuoqVNgU3srbu.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Local\N9QaRzQ0AfOLtw4JsIq3BGlx.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Local\Obg7n5Z5efoxTsQrcye3Rd29.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Local\iiOuEJn1yBaeJOKc16avXLXi.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Local\SuRnIHuWYWEWXFXLcVP2Or9Q.exeJump to dropped file
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeFile created: C:\Users\user\AppData\Local\Temp\u63s.0.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\Pictures\PMy8rA40PiG6kLCCQ4O29elX.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Local\vRRDKxJPSQaL9EAwTnxxq5Xp.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Local\Z53Wf0X0IoS1KV8zvVeoh9Jq.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Local\m17a3Wi6OxEiO5FsOjI20tNz.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\Pictures\aTkqzhHOj7NgaroFiyZu2tdl.exeJump to dropped file
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeFile created: C:\Users\user\Documents\SimpleAdobe\tk993DcPKxGC0yxEJOpWA4Uq.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Local\a84xxA52gOFQbQH4hbzYi5Xz.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Local\KZrOTs6FcYbq3nj2hpYsaJil.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\Pictures\YFF0xQcRAUpBPwLPUp2RM5MU.exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\7zS2746.tmp\Install.exeFile created: C:\Users\user\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\lIVrBSt.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\Pictures\cvz8uTBLcjJDrWiUkH9ou3st.exeJump to dropped file
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeFile created: C:\Users\user\Documents\SimpleAdobe\bLSHn6d_smbEd3DDHsdhdb9F.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\Pictures\C3zBXysGYP5W2fmci6hd0XEB.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Local\si8fAgQZyD6Cx4plDNMQadak.exeJump to dropped file
                      Source: C:\Users\user\Pictures\0XytwVHS3WE9jtGuuRid6GiP.exeFile created: C:\Users\user\AppData\Local\Temp\Opera_installer_2404180036226544476.dllJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\Pictures\7ifrWkUACu1QmnINWqs0eu9h.exeJump to dropped file
                      Source: C:\Users\user\Pictures\wjaGPzkDQjpdcbjBR9AwSFKW.exeFile created: C:\Users\user\AppData\Local\Temp\7zS2746.tmp\CertEnrollCtrl.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Local\1sULHHpeqbgWxmRBkrwHQ2Wq.exeJump to dropped file
                      Source: C:\Users\user\Pictures\T2RIU3FpH6dczIGTG32vuvvE.exeFile created: C:\Users\user\AppData\Local\Temp\Opera_installer_2404180036016968100.dllJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Local\7GonYrcCQJRZWxpQLYX649aX.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\Pictures\1HakjlIwxygCinOPkQfhRxwL.exeJump to dropped file
                      Source: C:\Users\user\Pictures\kuRSiZPmKhbW1guMqYXCvrAu.exeFile created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\kuRSiZPmKhbW1guMqYXCvrAu.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Local\OzuxsP18idUhxNQxYYbIiZFx.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Local\jPR83WX1aF07mPj541WJbft7.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Local\JN1IXYA8ssOWcLaqrtfgX1Ue.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\Pictures\puSUyQPbhGQYc8ea6l8rcmDp.exeJump to dropped file
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeFile created: C:\Users\user\Documents\SimpleAdobe\YEB6goJ_QRA9Ek_PBrASrKDk.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Local\rqCKBzP3c5cie0ECqyDcHMBo.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\Pictures\0oplAGcqdSD8dY40aY8KDRaa.exeJump to dropped file
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\inte[1].exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Local\S8ELmP46wfy25sPQImx4dfKP.exeJump to dropped file
                      Source: C:\Users\user\Pictures\0XytwVHS3WE9jtGuuRid6GiP.exeFile created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\0XytwVHS3WE9jtGuuRid6GiP.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Local\xMynrpRscnCMe5EhOaqNgT9P.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\Pictures\5QOOoyFK4iimcVizzTfwyofF.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\Pictures\GGlApx2WKpOBsEMsKqplE6Uf.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\Pictures\z2yKWzT0GXgmaQHim8qSwTt8.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\Pictures\LLoAVhqqC3TlPmj3xeFbhIJr.exeJump to dropped file
                      Source: C:\Users\user\Pictures\syLcQZGPHHUJ3M0wbg0XxQZf.exeFile created: C:\Users\user\AppData\Local\Temp\Opera_installer_2404180036337438040.dllJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Local\kTljKlVr9ONLnjGfMDuDLqq7.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Local\5CSwXytovRGWzicTtxKeyiOA.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\Pictures\syLcQZGPHHUJ3M0wbg0XxQZf.exeJump to dropped file
                      Source: C:\Users\user\Pictures\wjaGPzkDQjpdcbjBR9AwSFKW.exeFile created: C:\Users\user\AppData\Local\Temp\7zS2746.tmp\BackgroundTransferHost.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\Pictures\PqdYh9kiVSkf3FjC9RDfcS2e.exeJump to dropped file
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\setup[1].exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Local\4eN6JMBulbZWTUqm8bHwZ2Cg.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Local\WIPtBriceCKAWgIcBS0bein0.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\Pictures\Pn5ZHf0b4pBQKwEbywjz1WNa.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\Pictures\kuRSiZPmKhbW1guMqYXCvrAu.exeJump to dropped file
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\timeSync[1].exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Local\ws45TNfHbiigh1rlfu2kvwqp.exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\0XytwVHS3WE9jtGuuRid6GiP.exeFile created: C:\Users\user\AppData\Local\Temp\Opera_installer_2404180036333922764.dllJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\Pictures\zMgiNzEE9vHMTa7pUx4El30p.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\Pictures\u7khEnv04mT2EDLzgGnRMGoz.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Local\oE07FMGKijbqRxoSOEfcVNr4.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Local\gtrlRL8HQLBmCrpj7eGii9RV.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Local\qWJzemjmehRTjWu4hQlmexeK.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Local\dIzcszODhP85SLHp5gDwads1.exeJump to dropped file
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeFile created: C:\Users\user\Documents\SimpleAdobe\xFUB9mqMmDXHB6bYEudfe3bz.exeJump to dropped file
                      Source: C:\Users\user\Pictures\syLcQZGPHHUJ3M0wbg0XxQZf.exeFile created: C:\Users\user\AppData\Local\Temp\Opera_installer_2404180036143665496.dllJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Local\Tp59u6n2uhrgw2uPRJT1mo4o.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\Pictures\Vh2fqCjm9jPtwuJrcfbbwxLj.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\Pictures\exiuFZUeNjcDMo0MgYdiT1SB.exeJump to dropped file
                      Source: C:\Users\user\Pictures\syLcQZGPHHUJ3M0wbg0XxQZf.exeFile created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\syLcQZGPHHUJ3M0wbg0XxQZf.exeJump to dropped file
                      Source: C:\Users\user\Pictures\0XytwVHS3WE9jtGuuRid6GiP.exeFile created: C:\Users\user\AppData\Local\Temp\Opera_installer_2404180036199797216.dllJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Local\kzh8LUeSpUUvzS6kGzWDItYc.exeJump to dropped file
                      Source: C:\Users\user\Pictures\wjaGPzkDQjpdcbjBR9AwSFKW.exeFile created: C:\Users\user\AppData\Local\Temp\7zS2746.tmp\BdeUISrv.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\Pictures\UZEIOb5AJt4PKuFpMNcUE5kB.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Local\rgIKhNst6KD41QCemJfU8B6e.exeJump to dropped file
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeFile created: C:\Users\user\Documents\SimpleAdobe\mglK9j1udRLIlNMmqHDs89S5.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Local\QULdLniTDqWIS6ivnfEkWMUZ.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\Pictures\QHuPF3k4no0JL9DdGqDYtkCG.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\Pictures\kBnX25PRDA3FRCf96qRj6qpV.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Local\mrFftTFMgiVG2LP46B9gKHBo.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\Pictures\s9S2YPHvXa7oseKyop7fDJGM.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Local\NOigbqKnljqgR3qaRHEw5cN9.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Local\csCwmOCWNE9UELQ4txTVhw4w.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\Pictures\4zJ5E9cuigEXwPfwJBBf2Voo.exeJump to dropped file
                      Source: C:\Users\user\Pictures\wjaGPzkDQjpdcbjBR9AwSFKW.exeFile created: C:\Users\user\AppData\Local\Temp\7zS2746.tmp\AppVShNotify.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Local\x6grxPSTyIeA8EPDMgptrwYO.exeJump to dropped file
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\cad54ba5b01423b1af8ec10ab5719d97[1].exeJump to dropped file
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\setup294[1].exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeJump to dropped file
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\71be4917[1].exeJump to dropped file
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeFile created: C:\Users\user\AppData\Local\Temp\u63s.1.exeJump to dropped file
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeFile created: C:\Users\user\Documents\SimpleAdobe\zfmWdTyj1A0x7CDHTSCFc6P6.exeJump to dropped file
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeFile created: C:\Users\user\Documents\SimpleAdobe\UEaGlypujmRvmbw2BfkfATn6.exeJump to dropped file
                      Source: C:\Users\user\Pictures\kuRSiZPmKhbW1guMqYXCvrAu.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\Opera_109.0.5097.45_Autoupdate_x64[2].exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Local\dYzlQyYiVhnqA3GhRDFvHDg1.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Local\D0v59fae1RRLyzPSbsQoGGZK.exeJump to dropped file
                      Source: C:\Users\user\Pictures\SU1be6oqYDorLkUc1l6IPPFB.exeFile created: C:\Users\user\AppData\Local\Temp\u63c.0.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\Pictures\IpPaPlW8SuKj6HZ6PbpzdKUK.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\Pictures\KlC0MO7JlENai4lmIm0fgxCd.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Local\i3cGHUfhs02OIuQ54eKiruit.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Local\q1Wrkjlqz870PPzT0bIAuAXE.exeJump to dropped file
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeFile created: C:\Users\user\Documents\SimpleAdobe\8lBOtksKAFB83rUCOP3QmQ2e.exeJump to dropped file
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeFile created: C:\Users\user\Documents\SimpleAdobe\poDcVPAkLsUtWqX_rqUuGuhg.exeJump to dropped file
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeFile created: C:\Users\user\AppData\Local\Temp\serversystemNCQ_x64.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\Pictures\Sj3OVhjmKPY77wuH4sHs0IWD.exeJump to dropped file
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\7725eaa6592c80f8124e769b4e8a07f7[1].exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\Pictures\T2RIU3FpH6dczIGTG32vuvvE.exeJump to dropped file
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeFile created: C:\Users\user\AppData\Local\Temp\u224.0.exeJump to dropped file
                      Source: C:\Users\user\Pictures\T2RIU3FpH6dczIGTG32vuvvE.exeFile created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer\opera_installer_20240418023618399.log
                      Source: C:\Users\user\Pictures\syLcQZGPHHUJ3M0wbg0XxQZf.exeFile created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer\opera_installer_20240418023635601.log
                      Source: C:\Users\user\Pictures\0XytwVHS3WE9jtGuuRid6GiP.exeFile created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer\opera_installer_20240418023630151.log
                      Source: C:\Users\user\Pictures\kuRSiZPmKhbW1guMqYXCvrAu.exeFile created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer\opera_installer_20240418023639593.log

                      Boot Survival

                      barindex
                      Drops script or batch files to the startup folder
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2ym1d1xnPNMzk5jErdF6V6UG.batJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2YGFaax4VREMAQhHWBVtU9ND.batJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3PIKZrWnwy05CxuZRskqCwfF.batJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MygBvANjLf1AX31Xj7nu95Ot.batJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jC9hytOXxSJLUIWk7OLwYELs.batJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VgsxHcqWGMZuJZrJUV5SLHQ3.batJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DJgk52sDeczUV1lmMmKix3k6.batJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5me5kJjaX6nSu3LrmZClhT87.batJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\m35TgMK4wpj8LJ6jgGf2Xw2Z.batJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Kt7mfV03aeWQu4bZPgZ3e2n8.batJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tlcr68YHXdDJjhyT7wrqm3xM.batJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AN1sPJSyeZAaO0fgnCn2d82e.batJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\k2JDJYYF97BxDjJvdjfGyjtZ.batJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\J4OoATuxVsfOKcXUcxOLtc1U.batJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Y3oAYVErrIRWXBbeGz7YmX13.batJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\boo8FP0AhS3bBXLUBRbBJy9i.batJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WHd1pNJmpFoM8sqoNNUE4tf3.batJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kubdYrhB0F7KtjUXb85yOtnD.batJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oihjzJdDB6SwjKqgn4xLpgF2.batJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7wRR3Sd9ebwAodEDhY9Igh21.batJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hqngqO4IdouWvJHIpDnLTPg5.batJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Qbfh1kEfJzQeidHl0GsAyFET.batJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NZRD5waRyhBspSGbBIm0gdm3.batJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bnux0XctxY2jUEcQFRrG9ED3.batJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0L0N3gvArkRU6k774A53L7pm.batJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ft6HRmD3ARCfJ7A7sFRbGBMr.batJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZVwZaD0pkoPBTQLpyiUwKvm0.batJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4f4biQVfkFFQ1vVSgVTRMMCQ.batJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tAZVngHhHPzgcFHrRcS9MvT2.batJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5DvsXqu7rhEgw2bNo52xP7fS.batJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\moQfGiqyu6YwVfcrFdZJ5YnD.batJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\alXN5bQawMu1k2uk8dHN6LdQ.batJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PnT9ZbC86TXnf3ynIc9924V5.batJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0J7M1nQjDGRXKMq0AgiKFOvO.batJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x3w25VIhwwar8kgq72wIQMdT.batJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XFHdSFO3188VoWv0QrQcEWtV.batJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0ikx69mladtPGsRKabYNZ6t0.batJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vr4X7SKAWv4hdQph3V65g9Ue.batJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\INrPttZcYp1b1IDxmBdj2E7I.batJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cioAsxrEgULT6QllewrDjFdd.batJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\olGMw8ij2FLh3ZKyyQztgUiZ.batJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\W8THWYViNOUp58e0uu5wCwhd.batJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CVcuVNYe8YDJ4yNu7pIFMe6h.batJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MnlURaBerk6x1crCbiGPEJWc.batJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4LIdC6j8pRS1z7WNkoaxi5da.batJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EXyR1877y9OTHbL7SmwL0Njx.batJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fCajoF0uziKOHWOtsMKiSmkf.batJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iV9J0aMa18AmH41d2KxPgrGa.batJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lnqdr1oc3vWZb0AM6GqrJePb.batJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AcYm79bKwGS9urVVZVjxlnOT.batJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\C2otv6cqxQYf5tfWSc9JYFFI.batJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\42AtahIwsAQ9MCwYdGXiMWgl.batJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YeU8iF6BbqbTpHWTeh39oBMV.batJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NgmAydJthTuDbZVpKKk96QRy.batJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5e9YTeMdvgg279TXXoNtMM7p.batJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkqRrg5iWYbcd6JdFTMqN4du.batJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lvJmufARuJlw0oQi9mXpQ9k4.batJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CqLkLJsKMzyqpGaqpdD80xX4.batJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uSsGDdtTis23IdAFsKMDjhvK.batJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9Xgc4e7oTv5WiPHkhGWgsF6U.batJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4Y9Dve63bMlMJwgLFapHtux4.batJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0syZq7EY0CFhtffF1dHMEDe0.batJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pPDwres8UiyP6hmT2n6yLn7l.batJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WsK1YQ9kvBcxOEKHHnifbuin.batJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I9qlxtKCRbJZBgSVyvQk4qck.batJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wgrTK4F9BP7bp4UxruSjPthW.batJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aCZd0jUEZLTcGXCh2D1mXI8Y.batJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VgsxHcqWGMZuJZrJUV5SLHQ3.batJump to behavior
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VgsxHcqWGMZuJZrJUV5SLHQ3.batJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DJgk52sDeczUV1lmMmKix3k6.batJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5me5kJjaX6nSu3LrmZClhT87.batJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Y3oAYVErrIRWXBbeGz7YmX13.batJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\boo8FP0AhS3bBXLUBRbBJy9i.batJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WHd1pNJmpFoM8sqoNNUE4tf3.batJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NZRD5waRyhBspSGbBIm0gdm3.batJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bnux0XctxY2jUEcQFRrG9ED3.batJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tAZVngHhHPzgcFHrRcS9MvT2.batJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5DvsXqu7rhEgw2bNo52xP7fS.batJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\moQfGiqyu6YwVfcrFdZJ5YnD.batJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\alXN5bQawMu1k2uk8dHN6LdQ.batJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\INrPttZcYp1b1IDxmBdj2E7I.batJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cioAsxrEgULT6QllewrDjFdd.batJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CVcuVNYe8YDJ4yNu7pIFMe6h.batJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MnlURaBerk6x1crCbiGPEJWc.batJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4LIdC6j8pRS1z7WNkoaxi5da.batJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EXyR1877y9OTHbL7SmwL0Njx.batJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fCajoF0uziKOHWOtsMKiSmkf.batJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AcYm79bKwGS9urVVZVjxlnOT.batJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\C2otv6cqxQYf5tfWSc9JYFFI.batJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\42AtahIwsAQ9MCwYdGXiMWgl.batJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkqRrg5iWYbcd6JdFTMqN4du.batJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WsK1YQ9kvBcxOEKHHnifbuin.batJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aCZd0jUEZLTcGXCh2D1mXI8Y.batJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2YGFaax4VREMAQhHWBVtU9ND.batJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jC9hytOXxSJLUIWk7OLwYELs.batJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Kt7mfV03aeWQu4bZPgZ3e2n8.batJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\k2JDJYYF97BxDjJvdjfGyjtZ.batJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\J4OoATuxVsfOKcXUcxOLtc1U.batJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oihjzJdDB6SwjKqgn4xLpgF2.batJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hqngqO4IdouWvJHIpDnLTPg5.batJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ft6HRmD3ARCfJ7A7sFRbGBMr.batJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PnT9ZbC86TXnf3ynIc9924V5.batJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x3w25VIhwwar8kgq72wIQMdT.batJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0ikx69mladtPGsRKabYNZ6t0.batJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lnqdr1oc3vWZb0AM6GqrJePb.batJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iV9J0aMa18AmH41d2KxPgrGa.batJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YeU8iF6BbqbTpHWTeh39oBMV.batJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5e9YTeMdvgg279TXXoNtMM7p.batJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NgmAydJthTuDbZVpKKk96QRy.batJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lvJmufARuJlw0oQi9mXpQ9k4.batJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CqLkLJsKMzyqpGaqpdD80xX4.batJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uSsGDdtTis23IdAFsKMDjhvK.batJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9Xgc4e7oTv5WiPHkhGWgsF6U.batJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4Y9Dve63bMlMJwgLFapHtux4.batJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0syZq7EY0CFhtffF1dHMEDe0.batJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wgrTK4F9BP7bp4UxruSjPthW.batJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pPDwres8UiyP6hmT2n6yLn7l.batJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I9qlxtKCRbJZBgSVyvQk4qck.batJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2ym1d1xnPNMzk5jErdF6V6UG.batJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3PIKZrWnwy05CxuZRskqCwfF.batJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MygBvANjLf1AX31Xj7nu95Ot.batJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\m35TgMK4wpj8LJ6jgGf2Xw2Z.batJump to behavior

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Loading BitLocker PowerShell Module
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCode function: 8_2_00408761 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,8_2_00408761
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Pictures\JIsbjewlnghreiCB15kllzTk.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Users\user\Pictures\JIsbjewlnghreiCB15kllzTk.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                      Source: C:\Users\user\Pictures\7ifrWkUACu1QmnINWqs0eu9h.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Users\user\Pictures\7ifrWkUACu1QmnINWqs0eu9h.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Pictures\wjaGPzkDQjpdcbjBR9AwSFKW.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Pictures\wjaGPzkDQjpdcbjBR9AwSFKW.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Pictures\wjaGPzkDQjpdcbjBR9AwSFKW.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\7zS2746.tmp\Install.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\7zS2746.tmp\Install.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\7zS2746.tmp\Install.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion

                      barindex
                      Yara detected AntiVM3
                      Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exe PID: 7412, type: MEMORYSTR
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                      Source: JIsbjewlnghreiCB15kllzTk.exe, 0000000A.00000002.3312022979.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Yz2gr4IqEnTCH1g642bo4hrO.exe, 00000011.00000002.3312662666.0000000000400000.00000040.00000001.01000000.0000000F.sdmpBinary or memory string: RTP.EXESYSTEMROOT=SETFILETIMESIGNWRITINGSOFT_DOTTEDSYSTEMDRIVETTL EXPIREDUNINSTALLERVBOXSERVICEVMUSRVC.EXEVARIANTINITVIRTUALFREEVIRTUALLOCKWSARECVFROMWARANG_CITIWHITE_SPACEWINDEFENDER[:^XDIGIT:]\DSEFIX.EXEADDITIONALSALARM CLOCKAPPLICATIONASSISTQUEUEAUTHORITIESBAD ADDRESSBAD ARGSIZEBAD M VALUEBAD MESSAGEBAD TIMEDIVBITCOINS.SKBROKEN PIPECAMPAIGN_IDCGOCALL NILCLOBBERFREECLOSESOCKETCOMBASE.DLLCREATED BY CRYPT32.DLLE2.KEFF.ORGEMBEDDED/%SEXTERNAL IPFILE EXISTSFINAL TOKENFLOAT32NAN2FLOAT64NAN1FLOAT64NAN2FLOAT64NAN3GCCHECKMARKGENERALIZEDGET CDN: %WGETPEERNAMEGETSOCKNAMEGLOBALALLOCHTTP2CLIENTHTTP2SERVERHTTPS_PROXYI/O TIMEOUTLOCAL ERRORMSPANMANUALMETHODARGS(MINTRIGGER=MOVE %S: %WMSWSOCK.DLLNETPOLLINITNEXT SERVERNIL CONTEXTOPERA-PROXYORANNIS.COMOUT OF SYNCPARSE ERRORPROCESS: %SREFLECT.SETREFLECTOFFSRETRY-AFTERRUNTIME: P RUNTIME: G RUNTIME: P SCHEDDETAILSECHOST.DLLSECUR32.DLLSERVICE: %SSHELL32.DLLSHORT WRITESTACK TRACESTART PROXYTASKMGR.EXETLS: ALERT(TRACEALLOC(TRAFFIC UPDUNREACHABLEUSERENV.DLLVERSION.DLLVERSION=195WININET.DLLWUP_PROCESS (SENSITIVE) B (
                      Source: SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exe, 00000000.00000002.2411331877.000001E7B80B0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                      Source: SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exe, 00000000.00000002.2411331877.000001E7B80B0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: JIsbjewlnghreiCB15kllzTk.exe, 0000000A.00000002.3312022979.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Yz2gr4IqEnTCH1g642bo4hrO.exe, 00000011.00000002.3312662666.0000000000400000.00000040.00000001.01000000.0000000F.sdmpBinary or memory string: TOO MANY LINKSTOO MANY USERSTORRC FILENAMEUNEXPECTED EOFUNKNOWN CODE: UNKNOWN ERROR UNKNOWN METHODUNKNOWN MODE: UNREACHABLE: UNSAFE.POINTERUSERARENASTATEVIRTUALBOX: %WVMWARETRAY.EXEVMWAREUSER.EXEWII LIBNUP/1.0WINAPI ERROR #WINDOW CREATEDWORK.FULL != 0XENSERVICE.EXEZERO PARAMETER WITH GC PROG
                      Source: JIsbjewlnghreiCB15kllzTk.exe, 0000000A.00000002.3312022979.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Yz2gr4IqEnTCH1g642bo4hrO.exe, 00000011.00000002.3312662666.0000000000400000.00000040.00000001.01000000.0000000F.sdmpBinary or memory string: ... OMITTING ACCEPT-CHARSETAFTER EFIGUARDALLOCFREETRACEBAD ALLOCCOUNTBAD RECORD MACBAD RESTART PCBAD SPAN STATEBTC.USEBSV.COMCERT INSTALLEDCHECKSUM ERRORCONTENT-LENGTHCOULDN'T PATCHDATA TRUNCATEDDISTRIBUTOR_IDDRIVER REMOVEDERROR RESPONSEFILE TOO LARGEFINALIZER WAITGCSTOPTHEWORLDGET UPTIME: %WGETPROTOBYNAMEGOT SYSTEM PIDINITIAL SERVERINTERNAL ERRORINVALID SYNTAXIS A DIRECTORYKEY SIZE WRONGLEVEL 2 HALTEDLEVEL 3 HALTEDMEMPROFILERATEMULTIPARTFILESNEED MORE DATANIL ELEM TYPE!NO MODULE DATANO SUCH DEVICEOPEN EVENT: %WPARSE CERT: %WPROTOCOL ERRORREAD CERTS: %WREAD_FRAME_EOFREFLECT.VALUE.REMOVE APP: %WRUNTIME: FULL=RUNTIME: WANT=S.ALLOCCOUNT= SEMAROOT QUEUESERVER.VERSIONSTACK OVERFLOWSTART TASK: %WSTOPM SPINNINGSTORE64 FAILEDSYNC.COND.WAITTEXT FILE BUSYTIME.LOCATION(TIMEENDPERIODTOO MANY LINKSTOO MANY USERSTORRC FILENAMEUNEXPECTED EOFUNKNOWN CODE: UNKNOWN ERROR UNKNOWN METHODUNKNOWN MODE: UNREACHABLE: UNSAFE.POINTERUSERARENASTATEVIRTUALBOX: %WVMWARETRAY.EXEVMWAREUSER.EXEWII LIBNUP/1.0WINAPI ERROR #WINDOW CREATEDWORK.FULL != 0XENSERVICE.EXEZERO PARAMETER WITH GC PROG
                      Source: JIsbjewlnghreiCB15kllzTk.exe, Yz2gr4IqEnTCH1g642bo4hrO.exeBinary or memory string: RTP.EXESYSTEMROOT=SETFILETIMESIGNWRITINGSOFT_DOTTEDSYSTEMDRIVETTL EXPIREDUNINSTALLERVBOXSERVICEVMUSRVC.EXEVARIANTINITVIRTUALFREEVIRTUALLOCKWSARECVFROMWARANG_CITIWHITE_SPACEWINDEFENDER[:^XDIGIT:]\DSEFIX.EXEADDITIONALSALARM CLOCKAPPLICATIONASSISTQUEUEAUTHORITIES
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeMemory allocated: 1E7B5FB0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeMemory allocated: 1E7CFCD0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeMemory allocated: 1620000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeMemory allocated: 34A0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeMemory allocated: 2FB0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeMemory allocated: 7190000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeMemory allocated: 8190000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeMemory allocated: 82F0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeMemory allocated: 92F0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeMemory allocated: 96F0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeMemory allocated: 96F0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeMemory allocated: AA30000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeMemory allocated: BA30000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeMemory allocated: CA30000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeMemory allocated: DA30000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeMemory allocated: 7ED0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeMemory allocated: A7F0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeMemory allocated: B7F0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeMemory allocated: DFA0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeMemory allocated: EFA0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeMemory allocated: 10560000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeMemory allocated: 11560000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeMemory allocated: 12560000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeMemory allocated: 13560000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeMemory allocated: A7F0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeMemory allocated: 100A0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeMemory allocated: 120A0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\7zS2746.tmp\Install.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 600000Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 599871Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 599716Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 599608Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 599500Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 599390Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 599281Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 599172Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 599049Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 598922Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 598810Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 598698Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 598592Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 598484Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 598375Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 598260Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 598152Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 598021Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 597866Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 597640Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 597477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 597281Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 597140Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 596968Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 596848Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 596723Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 596515Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 596292Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 596172Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 596062Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 595949Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 595828Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 595687Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 595575Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 595416Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 595192Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 595000Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 300000Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 594819Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 594515Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 594328Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 594172Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 593890Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 593736Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 593453Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 593140Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 592797Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 592624Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 592156Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 591905Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 591625Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 591390Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 591062Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 590785Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 590576Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 590353Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 589969Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 589594Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 589375Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 589078Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 588750Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 588500Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 585734Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 585187Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 584750Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 584422Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 584062Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 583778Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 583297Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 583047Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 582625Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 582309Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 581812Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 581187Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 580578Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 580187Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 579687Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 579422Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 578875Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 578469Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 578109Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 577738Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 577328Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 576937Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 576406Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 575875Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 575375Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 574984Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 574422Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 574047Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 573328Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 573055Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 572359Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 571828Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 571140Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 567634Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 567172Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 566297Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 565531Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 565281Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 564906Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 564562Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 563750Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 562687Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 562130Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 561312Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 560344Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 559250Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 558031Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 557281Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 556390Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 554812Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 553578Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 552625Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 549500Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 548219Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 546844Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 545390Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 544687Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 543422Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 541500Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 540578Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 539375Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 538347Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 536547Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 535062Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 533031Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 531437Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 530000Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 528469Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 527078Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 525547Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 524265Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 522844Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 521156Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 519297Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 515039Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 512910Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 511276Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 508856Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 507135Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 505282Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 503549Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 501556Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 498559Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 497090Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 495347Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 493777Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 491570Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 489150Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 487134Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 484379Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 481324Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 478850Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeThread delayed: delay time: 300000
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeThread delayed: delay time: 300000
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6019Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3681Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWindow / User API: threadDelayed 3588Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWindow / User API: threadDelayed 2104Jump to behavior
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeWindow / User API: threadDelayed 1252
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_8-38755
                      Source: C:\Users\user\Pictures\T2RIU3FpH6dczIGTG32vuvvE.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Opera_installer_2404180036143868168.dllJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeDropped PE file which has not been started: C:\Users\user\Pictures\puSUyQPbhGQYc8ea6l8rcmDp.exeJump to dropped file
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeDropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\YEB6goJ_QRA9Ek_PBrASrKDk.exeJump to dropped file
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeDropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\jQql7MG2XChbxjQ6gNLJX8a8.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeDropped PE file which has not been started: C:\Users\user\Pictures\KAKoKagL31aeT9tvPuu3L1bc.exeJump to dropped file
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\inte[1].exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeDropped PE file which has not been started: C:\Users\user\Pictures\ySa0tmdKXLMzZNFqxzPk3yl0.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\31Q0tfhZ3ZbBeSnpH53Q6cmR.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeDropped PE file which has not been started: C:\Users\user\Pictures\LLoAVhqqC3TlPmj3xeFbhIJr.exeJump to dropped file
                      Source: C:\Users\user\Pictures\syLcQZGPHHUJ3M0wbg0XxQZf.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Opera_installer_2404180036337438040.dllJump to dropped file
                      Source: C:\Users\user\Pictures\wjaGPzkDQjpdcbjBR9AwSFKW.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS2746.tmp\BackgroundTransferHost.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\BScYPWRXjjJsm0UZKd8ZE404.exeJump to dropped file
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\setup[1].exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\T2RIU3FpH6dczIGTG32vuvvE.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Opera_installer_2404180036248045740.dllJump to dropped file
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeDropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\e5ADH4rW9PcD5gtgsREzjuVn.exeJump to dropped file
                      Source: C:\Users\user\Pictures\kuRSiZPmKhbW1guMqYXCvrAu.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Opera_installer_2404180036332806404.dllJump to dropped file
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\timeSync[1].exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\0XytwVHS3WE9jtGuuRid6GiP.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Opera_installer_2404180036333922764.dllJump to dropped file
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\Extension__Installer[1].exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\JeZCwGu4yuVGGxFvnw3BIkJ1.exeJump to dropped file
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeDropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\N3dNHH1i3277Gfb9sVdhVcr5.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\qWJzemjmehRTjWu4hQlmexeK.exeJump to dropped file
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeDropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\xFUB9mqMmDXHB6bYEudfe3bz.exeJump to dropped file
                      Source: C:\Users\user\Pictures\syLcQZGPHHUJ3M0wbg0XxQZf.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Opera_installer_2404180036143665496.dllJump to dropped file
                      Source: C:\Users\user\Pictures\wjaGPzkDQjpdcbjBR9AwSFKW.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS2746.tmp\browserexport.exeJump to dropped file
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeDropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\BuKYLuXtWRFvMUw4E6QMnePB.exeJump to dropped file
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\060[1].exeJump to dropped file
                      Source: C:\Users\user\Pictures\0XytwVHS3WE9jtGuuRid6GiP.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Opera_installer_2404180036199797216.dllJump to dropped file
                      Source: C:\Users\user\Pictures\wjaGPzkDQjpdcbjBR9AwSFKW.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS2746.tmp\BdeUISrv.exeJump to dropped file
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u224.1.exeJump to dropped file
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeDropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\mglK9j1udRLIlNMmqHDs89S5.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeDropped PE file which has not been started: C:\Users\user\Pictures\s9S2YPHvXa7oseKyop7fDJGM.exeJump to dropped file
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeDropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\iTHBJLcts9pEuoqVNgU3srbu.exeJump to dropped file
                      Source: C:\Users\user\Pictures\wjaGPzkDQjpdcbjBR9AwSFKW.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS2746.tmp\AppVShNotify.exeJump to dropped file
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u63s.0.exeJump to dropped file
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\cad54ba5b01423b1af8ec10ab5719d97[1].exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeDropped PE file which has not been started: C:\Users\user\Pictures\PMy8rA40PiG6kLCCQ4O29elX.exeJump to dropped file
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\setup294[1].exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\m17a3Wi6OxEiO5FsOjI20tNz.exeJump to dropped file
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeDropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\tk993DcPKxGC0yxEJOpWA4Uq.exeJump to dropped file
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\71be4917[1].exeJump to dropped file
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u63s.1.exeJump to dropped file
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeDropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\UEaGlypujmRvmbw2BfkfATn6.exeJump to dropped file
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeDropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\zfmWdTyj1A0x7CDHTSCFc6P6.exeJump to dropped file
                      Source: C:\Users\user\Pictures\kuRSiZPmKhbW1guMqYXCvrAu.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\Opera_109.0.5097.45_Autoupdate_x64[2].exeJump to dropped file
                      Source: C:\Users\user\Pictures\SU1be6oqYDorLkUc1l6IPPFB.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u63c.0.exeJump to dropped file
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeDropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\bLSHn6d_smbEd3DDHsdhdb9F.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\i3cGHUfhs02OIuQ54eKiruit.exeJump to dropped file
                      Source: C:\Users\user\Pictures\0XytwVHS3WE9jtGuuRid6GiP.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Opera_installer_2404180036226544476.dllJump to dropped file
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeDropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\poDcVPAkLsUtWqX_rqUuGuhg.exeJump to dropped file
                      Source: C:\Users\user\Pictures\wjaGPzkDQjpdcbjBR9AwSFKW.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS2746.tmp\CertEnrollCtrl.exeJump to dropped file
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeDropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\8lBOtksKAFB83rUCOP3QmQ2e.exeJump to dropped file
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\serversystemNCQ_x64.exeJump to dropped file
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\7725eaa6592c80f8124e769b4e8a07f7[1].exeJump to dropped file
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u224.0.exeJump to dropped file
                      Source: C:\Users\user\Pictures\T2RIU3FpH6dczIGTG32vuvvE.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Opera_installer_2404180036016968100.dllJump to dropped file
                      Source: C:\Users\user\Pictures\T2RIU3FpH6dczIGTG32vuvvE.exeEvasive API call chain: GetLocalTime,DecisionNodesgraph_14-13856
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeAPI coverage: 8.3 %
                      Source: C:\Users\user\Pictures\T2RIU3FpH6dczIGTG32vuvvE.exeAPI coverage: 4.2 %
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeAPI coverage: 1.4 %
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7840Thread sleep time: -7378697629483816s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -18446744073709540s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -600000s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7824Thread sleep count: 3588 > 30Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -599871s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7824Thread sleep count: 2104 > 30Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -599716s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -599608s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -599500s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -599390s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -599281s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -599172s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -599049s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -598922s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -598810s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -598698s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -598592s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -598484s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -598375s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -598260s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -598152s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -598021s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -597866s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -597640s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -597477s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -597281s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -597140s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -596968s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -596848s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -596723s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -596515s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -596292s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -596172s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -596062s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -595949s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -595828s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -595687s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -595575s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -595416s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -595192s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -595000s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7524Thread sleep time: -2100000s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -594819s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -594515s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -594328s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -594172s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -593890s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -593736s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -593453s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -593140s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -592797s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -592624s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -592156s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -591905s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -591625s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -591390s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -591062s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -590785s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -590576s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -590353s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -589969s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -589594s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -589375s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -589078s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -588750s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -588500s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -585734s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -585187s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -584750s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -584422s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -584062s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -583778s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -583297s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -583047s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -582625s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -582309s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -581812s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -581187s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -580578s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -580187s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -579687s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -579422s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -578875s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -578469s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -578109s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -577738s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -577328s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -576937s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -576406s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -575875s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -575375s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -574984s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -574422s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -574047s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -573328s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -573055s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -572359s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -571828s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -571140s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -567634s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -567172s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -566297s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -565531s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -565281s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -564906s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -564562s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -563750s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -562687s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -562130s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -561312s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -560344s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -559250s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -558031s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -557281s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -556390s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -554812s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -553578s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -552625s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -549500s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -548219s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -546844s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -545390s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -544687s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -543422s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -541500s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -540578s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -539375s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -538347s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -536547s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -535062s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -533031s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -531437s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -530000s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -528469s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -527078s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -525547s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -524265s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -522844s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -521156s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -519297s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -515039s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -512910s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -511276s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -508856s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -507135s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -505282s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -503549s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -501556s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -498559s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -497090s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -495347s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -493777s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -491570s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -489150s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -487134s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -484379s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -481324s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -478850s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7776Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exe TID: 8128Thread sleep count: 128 > 30
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exe TID: 5308Thread sleep count: 1252 > 30
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exe TID: 5308Thread sleep time: -250400s >= -30000s
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exe TID: 8128Thread sleep time: -300000s >= -30000s
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exe TID: 5144Thread sleep time: -600000s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\7zS2746.tmp\Install.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeLast function: Thread delayed
                      Source: C:\Users\user\Pictures\T2RIU3FpH6dczIGTG32vuvvE.exeFile Volume queried: C:\Users\user\Desktop FullSizeInformation
                      Source: C:\Users\user\Pictures\syLcQZGPHHUJ3M0wbg0XxQZf.exeFile Volume queried: C:\Users\user\Desktop FullSizeInformation
                      Source: C:\Users\user\Pictures\0XytwVHS3WE9jtGuuRid6GiP.exeFile Volume queried: C:\Users\user\Desktop FullSizeInformation
                      Source: C:\Users\user\Pictures\kuRSiZPmKhbW1guMqYXCvrAu.exeFile Volume queried: C:\Users\user\Desktop FullSizeInformation
                      Source: C:\Users\user\Pictures\wjaGPzkDQjpdcbjBR9AwSFKW.exeCode function: 22_2_0040553A FindFirstFileA,22_2_0040553A
                      Source: C:\Users\user\Pictures\wjaGPzkDQjpdcbjBR9AwSFKW.exeCode function: 22_2_004055DE __EH_prolog,FindFirstFileW,AreFileApisANSI,FindFirstFileA,22_2_004055DE
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 600000Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 599871Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 599716Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 599608Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 599500Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 599390Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 599281Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 599172Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 599049Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 598922Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 598810Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 598698Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 598592Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 598484Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 598375Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 598260Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 598152Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 598021Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 597866Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 597640Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 597477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 597281Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 597140Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 596968Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 596848Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 596723Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 596515Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 596292Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 596172Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 596062Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 595949Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 595828Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 595687Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 595575Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 595416Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 595192Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 595000Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 300000Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 594819Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 594515Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 594328Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 594172Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 593890Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 593736Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 593453Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 593140Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 592797Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 592624Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 592156Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 591905Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 591625Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 591390Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 591062Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 590785Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 590576Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 590353Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 589969Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 589594Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 589375Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 589078Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 588750Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 588500Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 585734Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 585187Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 584750Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 584422Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 584062Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 583778Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 583297Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 583047Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 582625Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 582309Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 581812Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 581187Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 580578Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 580187Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 579687Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 579422Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 578875Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 578469Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 578109Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 577738Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 577328Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 576937Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 576406Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 575875Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 575375Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 574984Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 574422Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 574047Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 573328Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 573055Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 572359Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 571828Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 571140Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 567634Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 567172Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 566297Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 565531Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 565281Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 564906Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 564562Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 563750Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 562687Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 562130Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 561312Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 560344Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 559250Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 558031Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 557281Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 556390Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 554812Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 553578Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 552625Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 549500Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 548219Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 546844Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 545390Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 544687Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 543422Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 541500Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 540578Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 539375Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 538347Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 536547Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 535062Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 533031Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 531437Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 530000Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 528469Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 527078Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 525547Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 524265Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 522844Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 521156Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 519297Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 515039Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 512910Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 511276Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 508856Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 507135Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 505282Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 503549Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 501556Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 498559Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 497090Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 495347Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 493777Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 491570Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 489150Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 487134Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 484379Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 481324Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 478850Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeThread delayed: delay time: 300000
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeThread delayed: delay time: 300000
                      Source: C:\Users\user\Pictures\wjaGPzkDQjpdcbjBR9AwSFKW.exeFile opened: C:\Users\user\AppData\Local\Temp\
                      Source: C:\Users\user\Pictures\wjaGPzkDQjpdcbjBR9AwSFKW.exeFile opened: C:\Users\user\AppData\Local\
                      Source: C:\Users\user\Pictures\wjaGPzkDQjpdcbjBR9AwSFKW.exeFile opened: C:\Users\user\AppData\Local\Temp\7zS2746.tmp\
                      Source: C:\Users\user\Pictures\wjaGPzkDQjpdcbjBR9AwSFKW.exeFile opened: C:\Users\user\AppData\Local\Temp\7zS2746.tmp\Install.exe
                      Source: C:\Users\user\Pictures\wjaGPzkDQjpdcbjBR9AwSFKW.exeFile opened: C:\Users\user\AppData\
                      Source: C:\Users\user\Pictures\wjaGPzkDQjpdcbjBR9AwSFKW.exeFile opened: C:\Users\user\
                      Source: Yz2gr4IqEnTCH1g642bo4hrO.exeBinary or memory string: sbvmx86write B -> Value addr= alloc base code= ctxt: curg= free goid jobs= list= m->p= max= min= next= p->m= prev= span=% util%s.exe%s.sys%s: %s(...) , i = , not , val -BEFV--DYOR--FMLD--FZTA--IRXC--JFQI--JQGP--JSKV--JZUF--KGQJ--KSFO--MKND--MOHU--NSFS--P
                      Source: Yz2gr4IqEnTCH1g642bo4hrO.exe, 00000011.00000002.3312662666.0000000000400000.00000040.00000001.01000000.0000000F.sdmpBinary or memory string: ... omitting accept-charsetafter EfiGuardallocfreetracebad allocCountbad record MACbad restart PCbad span statebtc.usebsv.comcert installedchecksum errorcontent-lengthcouldn't patchdata truncateddistributor_iddriver removederror responsefile too largefinalizer waitgcstoptheworldget uptime: %wgetprotobynamegot system PIDinitial serverinternal errorinvalid syntaxis a directorykey size wronglevel 2 haltedlevel 3 haltedmemprofileratemultipartfilesneed more datanil elem type!no module datano such deviceopen event: %wparse cert: %wprotocol errorread certs: %wread_frame_eofreflect.Value.remove app: %wruntime: full=runtime: want=s.allocCount= semaRoot queueserver.versionstack overflowstart task: %wstopm spinningstore64 failedsync.Cond.Waittext file busytime.Location(timeEndPeriodtoo many linkstoo many userstorrc filenameunexpected EOFunknown code: unknown error unknown methodunknown mode: unreachable: unsafe.PointeruserArenaStatevirtualbox: %wvmwaretray.exevmwareuser.exewii libnup/1.0winapi error #window createdwork.full != 0xenservice.exezero parameter with GC prog
                      Source: SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exe, 00000000.00000002.2411331877.000001E7B80B0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware
                      Source: Yz2gr4IqEnTCH1g642bo4hrO.exe, 00000011.00000002.3312662666.0000000000400000.00000040.00000001.01000000.0000000F.sdmpBinary or memory string: entersyscallexit status failed to %wfound av: %sgcBitsArenasgcpacertracegetaddrinfowgot TI tokenguid_machineharddecommithost is downhttp2debug=1http2debug=2illegal seekinjector.exeinstall_dateinvalid baseinvalid pathinvalid portinvalid slotiphlpapi.dllkernel32.dllmachine_guidmadvdontneedmax-forwardsmheapSpecialmsftedit.dllmspanSpecialnetapi32.dllno such hostnon-existentnot pollableoleaut32.dllout of rangeparse PE: %wproxyconnectrandautoseedrecv_goaway_reflect.Copyreleasep: m=remote errorremoving appruntime: gp=runtime: sp=s ap traffics hs trafficself-preemptsetupapi.dllshort bufferspanSetSpinesweepWaiterstraceStringstraffic/readtransmitfileulrichard.chunexpected )unknown portunknown typevmacthlp.exevmtoolsd.exewatchdog.exewinlogon.exewintrust.dllwirep: p->m=worker mode wtsapi32.dll != sweepgen (default %q) (default %v) MB globals, MB) workers= called from flushedWork idlethreads= in host name is nil, not nStackRoots= out of range pluginpath= s.spanclass= span.base()= syscalltick= work.nproc= work.nwait= %s/rawaddr/%s%s\%s\drivers, gp->status=, not pointer-bind-address-byte block (3814697265625: unknown pc Accept-RangesAuthorizationCLIENT_RANDOMCONNECTION-IDCONNECT_ERRORCache-ControlCertOpenStoreCoTaskMemFreeConnectServerContent-RangeDONT-FRAGMENTDeleteServiceDestroyWindowDistributorIDECDSAWithSHA1EnumProcessesExitWindowsExFQDN too longFindFirstFileFindNextFileWFindResourceWFreeAddrInfoWGC sweep waitGeoIPFile %s
                      Source: JIsbjewlnghreiCB15kllzTk.exe, 0000000A.00000002.3312022979.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Yz2gr4IqEnTCH1g642bo4hrO.exe, 00000011.00000002.3312662666.0000000000400000.00000040.00000001.01000000.0000000F.sdmpBinary or memory string: DnsRecordListFreeENHANCE_YOUR_CALMEnumThreadWindowsFLE Standard TimeFailed DependencyGC assist markingGMT Standard TimeGTB Standard TimeGetCurrentProcessGetShortPathNameWHEADER_TABLE_SIZEHKEY_CLASSES_ROOTHKEY_CURRENT_USERHTTP_1_1_REQUIREDIf-Modified-SinceIsTokenRestrictedLookupAccountSidWMESSAGE-INTEGRITYMoved PermanentlyOld_North_ArabianOld_South_ArabianOther_ID_ContinuePython-urllib/2.5QueryWorkingSetExRESERVATION-TOKENReadProcessMemoryRegLoadMUIStringWRtlGetCurrentPebSafeArrayCopyDataSafeArrayCreateExSentence_TerminalSysAllocStringLenSystemFunction036Too Many RequestsTransfer-EncodingUnexpected escapeUnified_IdeographUnknown AttributeVGAuthService.exeWSAEnumProtocolsWWTSQueryUserTokenWrite after CloseWrong CredentialsX-Idempotency-Key\System32\drivers\\.\VBoxMiniRdrDN
                      Source: JPl4ZLOvy3fY5RSXGk5s9Gl5.exe, 00000008.00000003.2351558121.0000000006365000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Datacenter without Hyper-V Core
                      Source: Yz2gr4IqEnTCH1g642bo4hrO.exeBinary or memory string: psapi.dllquestionsreboot inrecover: reflect: rwxrwxrwxscavtracestackpoolsucceededtask %+v tracebackunderflowunhandleduninstallunzip Torunzip: %wurn:uuid:w3m/0.5.1wbufSpanswebsocketxenevtchn} stack=[ netGo = MB goal, flushGen for type gfreecnt= heapGoal= p
                      Source: Yz2gr4IqEnTCH1g642bo4hrO.exe, 00000011.00000002.3312662666.0000000000400000.00000040.00000001.01000000.0000000F.sdmpBinary or memory string: IP addressIsValidSidKeep-AliveKharoshthiLocalAllocLockFileExLogonUserWManichaeanMessage-IdNo ContentOld_ItalicOld_PermicOld_TurkicOpenEventWOpenMutexWOpenThreadOther_MathPOSTALCODEParseAddr(ParseFloatPhoenicianProcessingPulseEventRIPEMD-160RST_STREAMResetEventSHA256-RSASHA384-RSASHA512-RSASYSTEMROOTSaurashtraSecureBootSet-CookieShowWindowTor uptimeUser-AgentVMSrvc.exeWSACleanupWSASocketWWSAStartupWget/1.9.1Windows 10Windows 11[:^alnum:][:^alpha:][:^ascii:][:^blank:][:^cntrl:][:^digit:][:^graph:][:^lower:][:^print:][:^punct:][:^space:][:^upper:][:xdigit:]\\.\WinMon\patch.exe^{[\w-]+}$app_%d.txtatomicand8attr%d=%s cmd is nilcomplex128connectiondebug calldnsapi.dlldsefix.exedwmapi.dlle.keff.orgexecerrdotexitThreadexp masterfloat32nanfloat64nangetsockoptgoroutine http_proxyimage/avifimage/jpegimage/webpimpossibleindicationinvalid IPinvalidptrkeep-alivemSpanInUsemyhostnameno resultsnot a boolnot signednotifyListowner diedpowershellprl_cc.exeprofInsertres binderres masterresumptionrune <nil>runtime: gs.state = schedtracesemacquiresend stateset-cookiesetsockoptskipping: socks bindstackLarget.Kind == terminatedtext/plaintime.Date(time.Localtracefree(tracegc()
                      Source: Yz2gr4IqEnTCH1g642bo4hrO.exe, 00000011.00000002.3312662666.0000000000400000.00000040.00000001.01000000.0000000F.sdmpBinary or memory string: acceptactivechan<-closedcookiedirectdomainefenceempty exec: expectfamilygeoip6gopherhangupheaderinternip+netkilledlistenminutenetdnsnumberobjectoriginpopcntrdtscpreadatreasonremoverenamereturnrun-v3rune1 secondselectsendtoserversocketsocks socks5statusstringstructsweep sysmontelnettimersuint16uint32uint64unuseduptimevmhgfsvmxnetvpc-s3wup_hsxennetxensvcxenvdb %v=%v, (conn) (scan (scan) MB in Value> allocs dying= flags= len=%d locks= m->g0= nmsys= pad1= pad2= s=nil
                      Source: Yz2gr4IqEnTCH1g642bo4hrO.exe, 00000011.00000002.3312662666.0000000000400000.00000040.00000001.01000000.0000000F.sdmpBinary or memory string: (MISSING)(unknown), newval=, oldval=, size = , tail = -07:00:00/api/cdn?/api/poll127.0.0.1244140625: status=AuthorityBassa_VahBhaiksukiClassINETCuneiformDiacriticEVEN-PORTExecQueryFindCloseForbiddenGetDIBitsHex_DigitInheritedInstMatchInstRune1InterfaceKhudawadiLocalFreeMalayalamMongolianMoveFileWNabataeanNot FoundOP_RETURNOSCaptionPalmyreneParseUintPatchTimePublisherReleaseDCRemoveAllSTUN addrSamaritanSee OtherSeptemberSundaneseSysnativeToo EarlyTrailer: TypeCNAMETypeHINFOTypeMINFOUse ProxyVBoxGuestVBoxMouseVBoxVideoWSASendToWednesdayWindows 7WriteFileZ07:00:00[%v = %d][:^word:][:alnum:][:alpha:][:ascii:][:blank:][:cntrl:][:digit:][:graph:][:lower:][:print:][:punct:][:space:][:upper:]_outboundatomicor8attributeb.ooze.ccbad indirbus errorchallengechan sendcomplex64connectexcopystackcsrss.exectxt != 0d.nx != 0dns,filesecdsa.netempty urlfiles,dnsfn.48.orgfodhelperfork/execfuncargs(gdi32.dllhchanLeafimage/gifimage/pnginittraceinterfaceinterruptinvalid nipv6-icmplocalhostmSpanDeadnew tokennil errorntdll.dllole32.dllomitemptyop_returnpanicwaitpatch.exepclmulqdqpreemptedprintableprofBlockprotocol proxy.exepsapi.dllquestionsreboot inrecover: reflect: rwxrwxrwxscavtracestackpoolsucceededtask %+v
                      Source: SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exe, 00000000.00000002.2411331877.000001E7B80B0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: JPl4ZLOvy3fY5RSXGk5s9Gl5.exe, 00000008.00000002.3342119410.0000000004AA4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWo
                      Source: JIsbjewlnghreiCB15kllzTk.exe, Yz2gr4IqEnTCH1g642bo4hrO.exeBinary or memory string: STAWSTAhomAtoiCDN=CESTChamDATADashDataDateEESTEULAEtagFromGOGCGoneHostJulyJuneLEAFLisuMiaoModiNZDTNZSTNameNewaPINGPOSTPathQEMUROOTSASTSTARSendStatTempThaiTypeUUID"%s"\rss\smb\u00 %+v m=] = ] n=allgallparchasn1avx2basebindbitsbmi1bmi2boolcallcap cas1cas2cas3ca
                      Source: Yz2gr4IqEnTCH1g642bo4hrO.exeBinary or memory string: uint64unuseduptimevmhgfsvmxnetvpc-s3wup_hsxennetxensvcxenvdb %v=%v, (conn) (scan (scan) MB in Value> allocs dying= flags= len=%d locks= m->g0= nmsys= pad1= pad2= s=nil text= zombie$WINDIR% CPU (%03d %s%v: %#x, goid=, j0 = -nologo/delete19531252.5.4.32.5.
                      Source: Yz2gr4IqEnTCH1g642bo4hrO.exe, 00000011.00000002.3312662666.0000000000400000.00000040.00000001.01000000.0000000F.sdmpBinary or memory string: VirtualUnlockWINDOW_UPDATEWTSFreeMemoryWriteConsoleW[FrameHeader \\.\VBoxGuestaccept-rangesaccess deniedadvapi32.dll
                      Source: QHuPF3k4no0JL9DdGqDYtkCG.exe, 00000010.00000002.3380053915.0000000004D40000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: ameNewaPINGPOSTPathQEMUROOTH
                      Source: Yz2gr4IqEnTCH1g642bo4hrO.exeBinary or memory string: ersexpiresfloat32float64forcegcgctracehead = http://invalidlog.txtlookup messageminpc= nil keynop -> number pacer: panic: readdirrefererrefreshrequestrunningserial:server=signal svc_versyscalltor.exetraileruintptrunknownupgradeversionvmmousevpcuhubwaitingwindo
                      Source: SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exe, 00000000.00000002.2411331877.000001E7B80B0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
                      Source: SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exe, 00000000.00000002.2411331877.000001E7B80B0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE
                      Source: Yz2gr4IqEnTCH1g642bo4hrO.exe, 00000011.00000002.3312662666.0000000000400000.00000040.00000001.01000000.0000000F.sdmpBinary or memory string: too many linkstoo many userstorrc filenameunexpected EOFunknown code: unknown error unknown methodunknown mode: unreachable: unsafe.PointeruserArenaStatevirtualbox: %wvmwaretray.exevmwareuser.exewii libnup/1.0winapi error #window createdwork.full != 0xenservice.exezero parameter with GC prog
                      Source: JPl4ZLOvy3fY5RSXGk5s9Gl5.exe, 00000008.00000003.2351558121.0000000006365000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMWARE_VIRTUAL
                      Source: QHuPF3k4no0JL9DdGqDYtkCG.exe, 00000010.00000002.3380053915.0000000004D40000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: 11VBoxSFWINDIRWD
                      Source: JPl4ZLOvy3fY5RSXGk5s9Gl5.exe, 00000008.00000002.3342119410.0000000004A38000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: Yz2gr4IqEnTCH1g642bo4hrO.exeBinary or memory string: LycianLydianMondayPADDEDPcaSvcPragmaRejangSCHED STREETServerStringSundaySyriacTai_LeTangutTeluguThaanaTypeMXTypeNSUTC+12UTC+13UTC-02UTC-08UTC-09UTC-11VBoxSFWINDIRWanchoWinMonWinmonX25519Yezidi[]byte\??\%s\csrss\ufffd acceptactivechan<-closedcookiedirectdo
                      Source: CasPol.exe, 00000003.00000002.3380210528.0000000001344000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll9
                      Source: QHuPF3k4no0JL9DdGqDYtkCG.exe, 00000010.00000002.3380053915.0000000004D40000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: aryvmcixn-SR-%W
                      Source: SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exe, 00000000.00000002.2411331877.000001E7B80B0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
                      Source: SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exe, 00000000.00000002.2411331877.000001E7B80B0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                      Source: SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exe, 00000000.00000002.2411331877.000001E7B80B0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
                      Source: Yz2gr4IqEnTCH1g642bo4hrO.exe, 00000011.00000002.3312662666.0000000000400000.00000040.00000001.01000000.0000000F.sdmpBinary or memory string: tracebackunderflowunhandleduninstallunzip Torunzip: %wurn:uuid:w3m/0.5.1wbufSpanswebsocketxenevtchn} stack=[ netGo = MB goal, flushGen for type gfreecnt= heapGoal= pages at ptrSize= runqsize= runqueue= s.base()= spinning= stopwait= stream=%d sweepgen sweepgen= targetpc= throwing= until pc=%!(NOVERB)%!Weekday(%s.uuid.%s%s|%s%s|%s(BADINDEX), bound = , limit = -noprofile-uninstall.localhost/dev/stdin/etc/hosts/show-eula12207031256103515625: parsing :authorityAdditionalBad varintCampaignIDCancelIoExChorasmianClassCHAOSClassCSNETConnectionContent-IdCreateFileCreatePipeDSA-SHA256DeprecatedDevanagariDnsQuery_WECDSA-SHA1END_STREAMERROR-CODEException GC forced
                      Source: Yz2gr4IqEnTCH1g642bo4hrO.exe, 00000011.00000002.3312662666.0000000000843000.00000040.00000001.01000000.0000000F.sdmpBinary or memory string: main.isRunningInsideVMWare
                      Source: JIsbjewlnghreiCB15kllzTk.exe, Yz2gr4IqEnTCH1g642bo4hrO.exeBinary or memory string: rSetEndOfFileSetErrorModeSetStdHandleSora_SompengSyloti_NagriSysStringLenThread32NextTor mode setTransmitFileUnauthorizedUnlockFileExVBoxTray.exeVariantClearVirtualAllocVirtualQueryWinmon32.sysWinmon64.sysWintrust.dllX-ImforwardsX-Powered-By[[:^ascii:]]\/(\d+)
                      Source: Yz2gr4IqEnTCH1g642bo4hrO.exeBinary or memory string: 4cas5cas6chandatedeaddialdoneermsetagethmfailfileflagfromftpsfuncgziphosthourhttpicmpidleigmpint8itabjsonkindlinkmdnsnullopenpathpipepop3quitreadrootsbrkseeksid=sizesmtpsse3tag:tcp4texttruetypeudp4uintunixuuidvaryvmcixn-- -%s (at ... MB, \" and got= max
                      Source: T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000C.00000002.3345349148.00000000004C7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllH
                      Source: SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exe, 00000000.00000002.2411331877.000001E7B80B0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
                      Source: SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exe, 00000000.00000002.2411331877.000001E7B80B0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
                      Source: Yz2gr4IqEnTCH1g642bo4hrO.exe, 00000011.00000002.3312662666.0000000000400000.00000040.00000001.01000000.0000000F.sdmpBinary or memory string: , i = , not , val -BEFV--DYOR--FMLD--FZTA--IRXC--JFQI--JQGP--JSKV--JZUF--KGQJ--KSFO--MKND--MOHU--NSFS--PFQJ--PLND--RTMD--VRSM--XQVL-.local.onion/%d-%s370000390625:31461<-chanAcceptAnswerArabicAugustBUTTONBasic BitBltBrahmiCANCELCONIN$CancelCarianChakmaCommonCookieCopticExpectFltMgrFormatFridayGOAWAYGetACPGothicHangulHatranHebrewHyphenKaithiKhojkiLengthLepchaLockedLycianLydianMondayPADDEDPcaSvcPragmaRejangSCHED STREETServerStringSundaySyriacTai_LeTangutTeluguThaanaTypeMXTypeNSUTC+12UTC+13UTC-02UTC-08UTC-09UTC-11VBoxSFWINDIRWanchoWinMonWinmonX25519Yezidi[]byte\??\%s\csrss\ufffd
                      Source: JPl4ZLOvy3fY5RSXGk5s9Gl5.exe, 00000008.00000003.2351558121.0000000006365000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Datacenter without Hyper-V Full
                      Source: Yz2gr4IqEnTCH1g642bo4hrO.exe, 00000011.00000002.3312662666.0000000000400000.00000040.00000001.01000000.0000000F.sdmpBinary or memory string: and got= max= ms, ptr tab= top=%s %q%s %s%s*%d%s/%s%s:%d%s=%s&#34;&#39;&amp;+0330+0430+0530+0545+0630+0845+1030+1245+1345, fp:-0930.avif.html.jpeg.json.wasm.webp1.4.2156253.2.250001500025000350004500055000650512560015600278125:***@:path<nil>AdlamAprilBamumBatakBuhidCall ClassCountDograECDSAErrorFlagsFoundGetDCGreekHTTP/KhmerLatinLimbuLocalLstatMarchNONCENushuOghamOriyaOsageP-224P-256P-384P-521PGDSEREALMRangeRealmRunicSHA-1STermTakriTamilTypeAUSTARUUID=\u202] = (allowarrayatimebad nchdirchmodclosecsrssctimedeferfalsefaultfilesfloatgcinggeoipgnamegscanhchanhostshttpsimap2imap3imapsinit int16int32int64matchmheapmkdirmonthmtimentohspanicparsepgdsepop3sproxyrangermdirrouterune scav schedsdsetsleepslicesockssse41sse42ssse3sudogsweeptext/tls: torrctotaltraceuint8unameusageuser=utf-8valuevmusbvmx86write B -> Value addr= alloc base code= ctxt: curg= free goid jobs= list= m->p= max= min= next= p->m= prev= span=% util%s.exe%s.sys%s: %s(...)
                      Source: QHuPF3k4no0JL9DdGqDYtkCG.exe, 00000010.00000002.3380053915.0000000004D40000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: tVMSrvcs|!
                      Source: JPl4ZLOvy3fY5RSXGk5s9Gl5.exe, 00000008.00000003.2351558121.0000000006365000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Enterprise without Hyper-V Full
                      Source: Yz2gr4IqEnTCH1g642bo4hrO.exeBinary or memory string: 3-512SOFTWARESaturdaySetEventSystem32TagbanwaTai_ThamTai_VietThursdayTifinaghTypeAAAATypeAXFRUSERHASHUSERNAMEUgariticVBoxWddmWSAIoctlWinmonFSWmiPrvSE[::1]:53[:word:][signal \\.\HGFS\\.\vmcistack=[_NewEnum_gatewayacceptexaddress bad instcgocheckcontinuecs
                      Source: JIsbjewlnghreiCB15kllzTk.exe, 0000000A.00000002.3312022979.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Yz2gr4IqEnTCH1g642bo4hrO.exe, 00000011.00000002.3312662666.0000000000400000.00000040.00000001.01000000.0000000F.sdmpBinary or memory string: 100-continue127.0.0.1:%d127.0.0.1:53152587890625762939453125AUTHENTICATEBidi_ControlCIDR addressCONTINUATIONCfgMgr32.dllCoCreateGuidCoInitializeContent TypeContent-TypeCookie.ValueCreateEventWCreateMutexWDeleteObjectECDSA-SHA256ECDSA-SHA384ECDSA-SHA512ErrUnknownPCFindNextFileGetAddrInfoWGetConsoleCPGetLastErrorGetLengthSidGetProcessIdGetStdHandleGetTempPathWGetUserGeoIDGlobalUnlockGlobal\csrssI'm a teapotInstAltMatchJoin_ControlLittleEndianLoadLibraryWLoadResourceLockResourceMax-ForwardsMeetei_MayekMime-VersionMulti-StatusNot ExtendedNot ModifiedNtCreateFileOpenServiceWPUSH_PROMISEPahawh_HmongRCodeRefusedRCodeSuccessReadConsoleWReleaseMutexReportEventWResumeThreadRevertToSelfRoInitializeS-1-5-32-544SERIALNUMBERSelectObjectServer ErrorSetEndOfFileSetErrorModeSetStdHandleSora_SompengSyloti_NagriSysStringLenThread32NextTor mode setTransmitFileUnauthorizedUnlockFileExVBoxTray.exeVariantClearVirtualAllocVirtualQueryWinmon32.sysWinmon64.sysWintrust.dllX-ImforwardsX-Powered-By[[:^ascii:]]\/(\d+)-(.*)\\.\WinMonFSabi mismatchadvapi32.dllaltmatch -> anynotnl -> bad flushGenbad g statusbad g0 stackbad recoverybad value %dbootmgfw.efibuild_numberc ap trafficc hs trafficcaller errorcan't happencas64 failedcdn is emptychan receiveclose notifycontent-typecontext.TODOcountry_codedse disableddumping heapend tracegc
                      Source: JPl4ZLOvy3fY5RSXGk5s9Gl5.exe, 00000008.00000003.2351558121.0000000006365000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft Hyper-V Server
                      Source: Yz2gr4IqEnTCH1g642bo4hrO.exe, 00000011.00000002.3312662666.0000000000400000.00000040.00000001.01000000.0000000F.sdmpBinary or memory string: RTP.exeSYSTEMROOT=SetFileTimeSignWritingSoft_DottedSystemDriveTTL expiredUninstallerVBoxServiceVMUSrvc.exeVariantInitVirtualFreeVirtualLockWSARecvFromWarang_CitiWhite_SpaceWinDefender[:^xdigit:]\dsefix.exeadditionalsalarm clockapplicationassistQueueauthoritiesbad addressbad argSizebad m valuebad messagebad timedivbitcoins.skbroken pipecampaign_idcgocall nilclobberfreeclosesocketcombase.dllcreated by crypt32.dlle2.keff.orgembedded/%sexternal IPfile existsfinal tokenfloat32nan2float64nan1float64nan2float64nan3gccheckmarkgeneralizedget CDN: %wgetpeernamegetsocknameglobalAllochttp2clienthttp2serverhttps_proxyi/o timeoutlocal errormSpanManualmethodargs(minTrigger=move %s: %wmswsock.dllnetpollInitnext servernil contextopera-proxyorannis.comout of syncparse errorprocess: %sreflect.SetreflectOffsretry-afterruntime: P runtime: g runtime: p scheddetailsechost.dllsecur32.dllservice: %sshell32.dllshort writestack tracestart proxytaskmgr.exetls: alert(tracealloc(traffic updunreachableuserenv.dllversion.dllversion=195wininet.dllwup_process (sensitive) B (
                      Source: Yz2gr4IqEnTCH1g642bo4hrO.exeBinary or memory string: yreleasep: m=remote errorremoving appruntime: gp=runtime: sp=s ap traffics hs trafficself-preemptsetupapi.dllshort bufferspanSetSpinesweepWaiterstraceStringstraffic/readtransmitfileulrichard.chunexpected )unknown portunknown typevmacthlp.exevmtoolsd.exewatchdo
                      Source: JPl4ZLOvy3fY5RSXGk5s9Gl5.exe, 00000008.00000003.2351558121.0000000006365000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: QEMU_HARDU
                      Source: Yz2gr4IqEnTCH1g642bo4hrO.exe, 00000011.00000002.3312662666.0000000000400000.00000040.00000001.01000000.0000000F.sdmpBinary or memory string: GetActiveObjectGetAdaptersInfoGetCommTimeoutsGetCommandLineWGetFirmwareTypeGetProcessTimesGetSecurityInfoGetStartupInfoWGlobal\qtxp9g8wHanifi_RohingyaICE-CONTROLLINGIdempotency-KeyImpersonateSelfInstall failureIsWindowUnicodeIsWindowVisibleIsWow64Process2Length RequiredLoadLibraryExALoadLibraryExWNot ImplementedNtSuspendThreadOpenThreadTokenOther_LowercaseOther_UppercasePKCS1WithSHA256PKCS1WithSHA384PKCS1WithSHA512Partial ContentPostQuitMessageProcess32FirstWPsalter_PahlaviQueryDosDeviceWRegCreateKeyExWRegDeleteValueWRequest TimeoutRtlDefaultNpAclSafeArrayCreateSafeArrayGetDimSafeArrayGetIIDSafeArrayUnlockScheduledUpdateSetCommTimeoutsSetSecurityInfoSetVolumeLabelWShellExecuteExWStringFromCLSIDStringFromGUID2TerminateThreadUnescaped quoteUninstallStringUnmapViewOfFileVBoxService.exeVPS.hsmiths.comWinsta0\DefaultX-Forwarded-For\\.\VBoxTrayIPC]
                      Source: JPl4ZLOvy3fY5RSXGk5s9Gl5.exe, 00000008.00000003.2351558121.0000000006365000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Standard without Hyper-V Full
                      Source: JIsbjewlnghreiCB15kllzTk.exe, 0000000A.00000002.3312022979.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Yz2gr4IqEnTCH1g642bo4hrO.exe, 00000011.00000002.3312662666.0000000000400000.00000040.00000001.01000000.0000000F.sdmpBinary or memory string: SafeArrayCopyDataSafeArrayCreateExSentence_TerminalSysAllocStringLenSystemFunction036Too Many RequestsTransfer-EncodingUnexpected escapeUnified_IdeographUnknown AttributeVGAuthService.exeWSAEnumProtocolsWWTSQueryUserTokenWrite after CloseWrong CredentialsX-Idempotency-Key\System32\drivers\\.\VBoxMiniRdrDN
                      Source: Yz2gr4IqEnTCH1g642bo4hrO.exeBinary or memory string: RTP.exeSYSTEMROOT=SetFileTimeSignWritingSoft_DottedSystemDriveTTL expiredUninstallerVBoxServiceVMUSrvc.exeVariantInitVirtualFreeVirtualLockWSARecvFromWarang_CitiWhite_SpaceWinDefender[:^xdigit:]\dsefix.exeadditionalsalarm clockapplicationassistQueueauthorities
                      Source: JPl4ZLOvy3fY5RSXGk5s9Gl5.exe, 00000008.00000003.2351558121.0000000006365000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Enterprise without Hyper-V Core
                      Source: Yz2gr4IqEnTCH1g642bo4hrO.exeBinary or memory string: vmusbmousevmware: %wws2_32.dll of size (targetpc= , plugin: ErrCode=%v KiB work, bytes ... exp.) for freeindex= gcwaiting= idleprocs= in status mallocing= ms clock, nBSSRoots= p->status= s.nelems= schedtick= span.list= timerslen=$WINDIR\rss%!(BADPREC
                      Source: JIsbjewlnghreiCB15kllzTk.exe, 0000000A.00000002.3312022979.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Yz2gr4IqEnTCH1g642bo4hrO.exe, 00000011.00000002.3312662666.0000000000400000.00000040.00000001.01000000.0000000F.sdmpBinary or memory string: &gt;&lt;'\'') = ) m=+Inf-Inf.bat.cmd.com.css.exe.gif.htm.jpg.mjs.pdf.png.svg.sys.xml0x%x1.1110803125: p=ACDTACSTAEDTAESTAKDTAKSTAWSTAhomAtoiCDN=CESTChamDATADashDataDateEESTEULAEtagFromGOGCGoneHostJulyJuneLEAFLisuMiaoModiNZDTNZSTNameNewaPINGPOSTPathQEMUROOTSASTSTARSendStatTempThaiTypeUUID"%s"\rss\smb\u00
                      Source: JIsbjewlnghreiCB15kllzTk.exe, Yz2gr4IqEnTCH1g642bo4hrO.exeBinary or memory string: eUnprocessable EntityWinmonProcessMonitor\\.\pipe\VBoxTrayIPC^.*\._Ctype_uint8_t$asn1: syntax error: assigned stream ID 0bad font file formatbad system page sizebad use of bucket.bpbad use of bucket.mpcertificate requiredchan send (nil chan)close of nil channe
                      Source: JIsbjewlnghreiCB15kllzTk.exe, Yz2gr4IqEnTCH1g642bo4hrO.exeBinary or memory string: potency-Key\System32\drivers\\.\VBoxMiniRdrDN os/exec.Command(^.*\._Ctype_char$bad TinySizeClasscouldn't dial: %wcouldn't find pidcouldn't get UUIDcouldn't get pidscouldn't hide PIDcpu name is emptycreate window: %wdecode server: %wdecryption faileddownload fi
                      Source: SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exe, 00000000.00000002.2411331877.000001E7B80B0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
                      Source: SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exe, 00000000.00000002.2411331877.000001E7B80B0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                      Source: JIsbjewlnghreiCB15kllzTk.exeBinary or memory string: releasep: m=remote errorremoving appruntime: gp=runtime: sp=s ap traffics hs trafficself-preemptsetupapi.dllshort bufferspanSetSpinesweepWaiterstraceStringstraffic/readtransmitfileulrichard.chunexpected )unknown portunknown typevmacthlp.exevmtoolsd.exewatchdog
                      Source: QHuPF3k4no0JL9DdGqDYtkCG.exe, 00000010.00000002.3380053915.0000000004D40000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: \\.\HGFS`
                      Source: Yz2gr4IqEnTCH1g642bo4hrO.exeBinary or memory string: lUnlockWINDOW_UPDATEWTSFreeMemoryWriteConsoleW[FrameHeader \\.\VBoxGuestaccept-rangesaccess deniedadvapi32.dll
                      Source: Yz2gr4IqEnTCH1g642bo4hrO.exeBinary or memory string: MathPOSTALCODEParseAddr(ParseFloatPhoenicianProcessingPulseEventRIPEMD-160RST_STREAMResetEventSHA256-RSASHA384-RSASHA512-RSASYSTEMROOTSaurashtraSecureBootSet-CookieShowWindowTor uptimeUser-AgentVMSrvc.exeWSACleanupWSASocketWWSAStartupWget/1.9.1Windows 10Window
                      Source: JPl4ZLOvy3fY5RSXGk5s9Gl5.exe, 00000008.00000003.2351558121.0000000006365000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6without Hyper-V for Windows Essential Server Solutions
                      Source: Yz2gr4IqEnTCH1g642bo4hrO.exeBinary or memory string: PalmyreneParseUintPatchTimePublisherReleaseDCRemoveAllSTUN addrSamaritanSee OtherSeptemberSundaneseSysnativeToo EarlyTrailer: TypeCNAMETypeHINFOTypeMINFOUse ProxyVBoxGuestVBoxMouseVBoxVideoWSASendToWednesdayWindows 7WriteFileZ07:00:00[%v = %d][:^word:][:alnum:
                      Source: QHuPF3k4no0JL9DdGqDYtkCG.exe, 00000010.00000002.3380053915.0000000004D40000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: vmhgfsP
                      Source: SU1be6oqYDorLkUc1l6IPPFB.exe, 00000017.00000002.3389956114.0000000002FE6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlly
                      Source: Yz2gr4IqEnTCH1g642bo4hrO.exe, 00000011.00000002.3312662666.0000000000400000.00000040.00000001.01000000.0000000F.sdmpBinary or memory string: Not ImplementedNtSuspendThreadOpenThreadTokenOther_LowercaseOther_UppercasePKCS1WithSHA256PKCS1WithSHA384PKCS1WithSHA512Partial ContentPostQuitMessageProcess32FirstWPsalter_PahlaviQueryDosDeviceWRegCreateKeyExWRegDeleteValueWRequest TimeoutRtlDefaultNpAclSafeArrayCreateSafeArrayGetDimSafeArrayGetIIDSafeArrayUnlockScheduledUpdateSetCommTimeoutsSetSecurityInfoSetVolumeLabelWShellExecuteExWStringFromCLSIDStringFromGUID2TerminateThreadUnescaped quoteUninstallStringUnmapViewOfFileVBoxService.exeVPS.hsmiths.comWinsta0\DefaultX-Forwarded-For\\.\VBoxTrayIPC]
                      Source: SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exe, 00000000.00000002.2411331877.000001E7B80B0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                      Source: Yz2gr4IqEnTCH1g642bo4hrO.exe, 00000011.00000002.3312662666.0000000000400000.00000040.00000001.01000000.0000000F.sdmpBinary or memory string: VirtualUnlockWINDOW_UPDATEWTSFreeMemoryWriteConsoleW[FrameHeader \\.\VBoxGuestaccept-rangesaccess deniedadvapi32.dllauthorizationbad flushGen bad map statebtc.cihar.combtc.xskyx.netcache-controlcontent-rangecouldn't polldalTLDpSugct?data is emptydouble unlockemail addressempty integerexchange fullfatal error: gethostbynamegetservbynamegzip, deflateif-none-matchignoring fileimage/svg+xmlinvalid ASN.1invalid UTF-8invalid base kernel32.dllkey expansionlame referrallast-modifiedlevel 3 resetload64 failedmaster secretmin too largename is emptynil stackbasenot a Float32open file: %wout of memoryparallels: %wparsing time powrprof.dllprl_tools.exeprofMemActiveprofMemFutureread EULA: %wrebooting nowruntime: seq=runtime: val=service stateset event: %wsigner is nilsocks connectsrmount errortimer expiredtraceStackTabtrailing dataunimplementedunsupported: user canceledvalue method virtualpc: %wxadd64 failedxchg64 failed}
                      Source: Yz2gr4IqEnTCH1g642bo4hrO.exe, 00000011.00000002.3312662666.0000000000400000.00000040.00000001.01000000.0000000F.sdmpBinary or memory string: unixpacketunknown pcuser-agentuser32.dllvmusbmousevmware: %wws2_32.dll of size (targetpc= , plugin: ErrCode=%v KiB work, bytes ...
                      Source: JIsbjewlnghreiCB15kllzTk.exe, Yz2gr4IqEnTCH1g642bo4hrO.exeBinary or memory string: ultX-Forwarded-For\\.\VBoxTrayIPC] morebuf={pc:accept-encodingaccept-languageadvertise erroragent is closedapplication/pdfasyncpreemptoffbad certificatebad trailer keybefore EfiGuardclass registredclient finishedcouldn't set AVcouldn't set sbdecode hash: %wdo
                      Source: Yz2gr4IqEnTCH1g642bo4hrO.exe, 00000011.00000002.3312662666.0000000000400000.00000040.00000001.01000000.0000000F.sdmpBinary or memory string: VersionVirtualWSARecvWSASend"%s" %stypes value=abortedalt -> answersany -> booleancharsetchunkedcmd.execonnectconsolecpu: %scpuprofderiveddriversexpiresfloat32float64forcegcgctracehead = http://invalidlog.txtlookup messageminpc= nil keynop -> number pacer: panic: readdirrefererrefreshrequestrunningserial:server=signal svc_versyscalltor.exetraileruintptrunknownupgradeversionvmmousevpcuhubwaitingwindowswsarecvwsasendwup_verxen: %wxennet6 bytes, data=%q etypes incr=%v is not maxpc= mcount= minLC= minutes nalloc= newval= nfreed= ping=%q pointer stack=[ status %!Month(%02d%02d%s %s:%d%s: 0x%x-cleanup2.5.4.102.5.4.112.5.4.1748828125?4#?'1#0AcceptExAcceptedAllocateAltitudeArmenianBAD RANKBalineseBopomofoBugineseCancelIoCherokeeClassANYConflictContinueCurveID(CyrillicDNS nameDSA-SHA1DecemberDefenderDeleteDCDuployanEULA.txtEqualSidEthiopicExtenderFebruaryFirewallFullPathGeorgianGetOEMCPGoStringGujaratiGurmukhiHTTP/1.1HTTP/2.0HiraganaInstFailInstRuneIsWindowJavaneseKatakanaKayah_LiLIFETIMELinear_ALinear_BLocationLsaCloseMD5+SHA1MahajaniNO_ERRORNO_PROXYNovemberOl_ChikiPRIORITYPROGRESSParseIntPersoconPhags_PaQuestionReadFileReceivedSETTINGSSHA1-RSASHA3-224SHA3-256SHA3-384SHA3-512SOFTWARESaturdaySetEventSystem32TagbanwaTai_ThamTai_VietThursdayTifinaghTypeAAAATypeAXFRUSERHASHUSERNAMEUgariticVBoxWddmWSAIoctlWinmonFSWmiPrvSE[::1]:53[:word:][signal \\.\HGFS\\.\vmcistack=[_NewEnum_gatewayacceptexaddress bad instcgocheckcontinuecs deadlockdefault:dial: %wdnsquerydurationeax ebp ebx ecx edi edx eflags eip embeddedesi esp execwaitexporterf is nilfinishedfs gs hijackedhttp/1.1https://if-matchif-rangeinfinityinjectorinvalid linkpathlocationmac_addrmountvolmsvmmoufno anodeno-cacheno_proxypollDescreadfromrecvfromreflect.runnableruntime.rwmutexRrwmutexWscavengeshutdownstrconv.taskkilltor_modetraceBuftrigger=unixgramunknown(usernamevmmemctlvmx_svgawalk: %wwsaioctlwuauservx509sha1yuio.top (forced) B exp.) B work ( blocked= in use)
                      Source: Yz2gr4IqEnTCH1g642bo4hrO.exe, 00000011.00000002.3312662666.0000000000400000.00000040.00000001.01000000.0000000F.sdmpBinary or memory string: m=] = ] n=allgallparchasn1avx2basebindbitsbmi1bmi2boolcallcap cas1cas2cas3cas4cas5cas6chandatedeaddialdoneermsetagethmfailfileflagfromftpsfuncgziphosthourhttpicmpidleigmpint8itabjsonkindlinkmdnsnullopenpathpipepop3quitreadrootsbrkseeksid=sizesmtpsse3tag:tcp4texttruetypeudp4uintunixuuidvaryvmcixn-- -%s (at ...
                      Source: JPl4ZLOvy3fY5RSXGk5s9Gl5.exe, 00000008.00000003.2351558121.0000000006365000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Standard without Hyper-V Core
                      Source: Yz2gr4IqEnTCH1g642bo4hrO.exeBinary or memory string: swsarecvwsasendwup_verxen: %wxennet6 bytes, data=%q etypes incr=%v is not maxpc= mcount= minLC= minutes nalloc= newval= nfreed= ping=%q pointer stack=[ status %!Month(%02d%02d%s %s:%d%s: 0x%x-cleanup2.5.4.102.5.4.112.5.4.1748828125?4#?'1#0AcceptExAccepted
                      Source: Yz2gr4IqEnTCH1g642bo4hrO.exeBinary or memory string: too many linkstoo many userstorrc filenameunexpected EOFunknown code: unknown error unknown methodunknown mode: unreachable: unsafe.PointeruserArenaStatevirtualbox: %wvmwaretray.exevmwareuser.exewii libnup/1.0winapi error #window createdwork.full != 0xenservi
                      Source: Yz2gr4IqEnTCH1g642bo4hrO.exeBinary or memory string: ddrmountvolmsvmmoufno anodeno-cacheno_proxypollDescreadfromrecvfromreflect.runnableruntime.rwmutexRrwmutexWscavengeshutdownstrconv.taskkilltor_modetraceBuftrigger=unixgramunknown(usernamevmmemctlvmx_svgawalk: %wwsaioctlwuauservx509sha1yuio.top (forced) B exp.)
                      Source: Yz2gr4IqEnTCH1g642bo4hrO.exeBinary or memory string: rayCreateSafeArrayGetDimSafeArrayGetIIDSafeArrayUnlockScheduledUpdateSetCommTimeoutsSetSecurityInfoSetVolumeLabelWShellExecuteExWStringFromCLSIDStringFromGUID2TerminateThreadUnescaped quoteUninstallStringUnmapViewOfFileVBoxService.exeVPS.hsmiths.comWinsta0\Def
                      Source: C:\Users\user\Pictures\wjaGPzkDQjpdcbjBR9AwSFKW.exeAPI call chain: ExitProcess graph end node
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCode function: 8_2_00409A73 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_00409A73
                      Source: C:\Users\user\Pictures\T2RIU3FpH6dczIGTG32vuvvE.exeCode function: 14_2_6B906BE0 LoadLibraryW,GetProcAddress,14_2_6B906BE0
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCode function: 8_2_004139E7 mov eax, dword ptr fs:[00000030h]8_2_004139E7
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCode function: 8_2_02F1F06B push dword ptr fs:[00000030h]8_2_02F1F06B
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCode function: 8_2_049B3C4E mov eax, dword ptr fs:[00000030h]8_2_049B3C4E
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCode function: 8_2_049A0D90 mov eax, dword ptr fs:[00000030h]8_2_049A0D90
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCode function: 8_2_049A092B mov eax, dword ptr fs:[00000030h]8_2_049A092B
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCode function: 15_2_004139E7 mov eax, dword ptr fs:[00000030h]15_2_004139E7
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCode function: 15_2_02ED092B mov eax, dword ptr fs:[00000030h]15_2_02ED092B
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCode function: 15_2_02EE3C4E mov eax, dword ptr fs:[00000030h]15_2_02EE3C4E
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCode function: 15_2_02ED0D90 mov eax, dword ptr fs:[00000030h]15_2_02ED0D90
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCode function: 15_2_02FAEE93 push dword ptr fs:[00000030h]15_2_02FAEE93
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCode function: 8_2_00420AEA GetProcessHeap,8_2_00420AEA
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCode function: 8_2_00409A73 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_00409A73
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCode function: 8_2_00409C06 SetUnhandledExceptionFilter,8_2_00409C06
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCode function: 8_2_00409EBE SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,8_2_00409EBE
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCode function: 8_2_0041073B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_0041073B
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCode function: 8_2_049A9CDA IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_049A9CDA
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCode function: 8_2_049A9E6D SetUnhandledExceptionFilter,8_2_049A9E6D
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCode function: 8_2_049B09A2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_049B09A2
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCode function: 8_2_049AA125 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,8_2_049AA125
                      Source: C:\Users\user\Pictures\T2RIU3FpH6dczIGTG32vuvvE.exeCode function: 14_2_6B9A4218 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,14_2_6B9A4218
                      Source: C:\Users\user\Pictures\T2RIU3FpH6dczIGTG32vuvvE.exeCode function: 14_2_6B9B6C84 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,14_2_6B9B6C84
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCode function: 15_2_00409A73 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,15_2_00409A73
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCode function: 15_2_00409C06 SetUnhandledExceptionFilter,15_2_00409C06
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCode function: 15_2_00409EBE SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,15_2_00409EBE
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCode function: 15_2_0041073B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,15_2_0041073B
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCode function: 15_2_02EE09A2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,15_2_02EE09A2
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCode function: 15_2_02EDA125 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,15_2_02EDA125
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCode function: 15_2_02ED9E6D SetUnhandledExceptionFilter,15_2_02ED9E6D
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCode function: 15_2_02ED9CDA IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,15_2_02ED9CDA
                      Source: C:\Users\user\Pictures\QHuPF3k4no0JL9DdGqDYtkCG.exeCode function: 16_2_00408F71 SetUnhandledExceptionFilter,UnhandledExceptionFilter,16_2_00408F71
                      Source: C:\Users\user\Pictures\wjaGPzkDQjpdcbjBR9AwSFKW.exeCode function: 22_2_0041584A SetUnhandledExceptionFilter,22_2_0041584A
                      Source: C:\Users\user\Pictures\wjaGPzkDQjpdcbjBR9AwSFKW.exeCode function: 22_2_0041585C SetUnhandledExceptionFilter,22_2_0041585C
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Adds a directory exclusion to Windows Defender
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exe" -Force
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exe" -ForceJump to behavior
                      Allocates memory in foreign processes
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000 protect: page execute and read and writeJump to behavior
                      Disables Windows Defender (deletes autostart)
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeRegistry value deleted: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{C2D6C799-1878-4A10-AE0B-BB0304219A47}Machine\SOFTWARE\Policies\Microsoft\Windows Defender DisableAntiSpyware
                      Found direct / indirect Syscall (likely to bypass EDR)
                      Source: C:\Users\user\Pictures\kBnX25PRDA3FRCf96qRj6qpV.exeNtProtectVirtualMemory: Direct from: 0x7FF7EBB558C1
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeNtProtectVirtualMemory: Direct from: 0x7FF79D398F28
                      Source: C:\Users\user\Pictures\3wiDjAuNAMEeKc2Sp8AJvkHN.exeNtProtectVirtualMemory: Direct from: 0x7FF7896FC57D
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeNtProtectVirtualMemory: Direct from: 0x7FF79D0F8590
                      Source: C:\Users\user\Pictures\GGlApx2WKpOBsEMsKqplE6Uf.exeNtProtectVirtualMemory: Direct from: 0x7FF6A0FFC23D
                      Source: C:\Users\user\Pictures\GGlApx2WKpOBsEMsKqplE6Uf.exeNtProtectVirtualMemory: Direct from: 0x7FF6A0FC05F0
                      Source: C:\Users\user\Pictures\3wiDjAuNAMEeKc2Sp8AJvkHN.exeNtProtectVirtualMemory: Direct from: 0x7FF78970E07F
                      Source: C:\Users\user\Pictures\kBnX25PRDA3FRCf96qRj6qpV.exeNtProtectVirtualMemory: Direct from: 0x7FF7EBF8E07F
                      Source: C:\Users\user\Pictures\GGlApx2WKpOBsEMsKqplE6Uf.exeNtProtectVirtualMemory: Direct from: 0x7FF6A0FD0A0A
                      Source: C:\Users\user\Pictures\3wiDjAuNAMEeKc2Sp8AJvkHN.exeNtProtectVirtualMemory: Direct from: 0x7FF7892C686E
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeNtProtectVirtualMemory: Direct from: 0x7FF79CF6686E
                      Source: C:\Users\user\Pictures\kBnX25PRDA3FRCf96qRj6qpV.exeNtProtectVirtualMemory: Direct from: 0x7FF7EBB8E17D
                      Source: C:\Users\user\Pictures\GGlApx2WKpOBsEMsKqplE6Uf.exeNtProtectVirtualMemory: Direct from: 0x7FF6A13E78C2
                      Source: C:\Users\user\Pictures\3wiDjAuNAMEeKc2Sp8AJvkHN.exeNtProtectVirtualMemory: Direct from: 0x7FF78930C23D
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeNtProtectVirtualMemory: Direct from: 0x7FF79CFAE17D
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeNtProtectVirtualMemory: Direct from: 0x7FF79CFE7174
                      Source: C:\Users\user\Pictures\3wiDjAuNAMEeKc2Sp8AJvkHN.exeNtProtectVirtualMemory: Direct from: 0x7FF7893504B0
                      Source: C:\Users\user\Pictures\kBnX25PRDA3FRCf96qRj6qpV.exeNtProtectVirtualMemory: Direct from: 0x7FF7EBF7F689
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeNtProtectVirtualMemory: Direct from: 0x7FF79CFAC23D
                      Source: C:\Users\user\Pictures\kBnX25PRDA3FRCf96qRj6qpV.exeNtProtectVirtualMemory: Direct from: 0x7FF7EBF778C2
                      Source: C:\Users\user\Pictures\GGlApx2WKpOBsEMsKqplE6Uf.exeNtProtectVirtualMemory: Direct from: 0x7FF6A0FB686E
                      Source: C:\Users\user\Pictures\3wiDjAuNAMEeKc2Sp8AJvkHN.exeNtProtectVirtualMemory: Direct from: 0x7FF789347174
                      Source: C:\Users\user\Pictures\3wiDjAuNAMEeKc2Sp8AJvkHN.exeNtProtectVirtualMemory: Direct from: 0x7FF78932C134
                      Source: C:\Users\user\Pictures\kBnX25PRDA3FRCf96qRj6qpV.exeNtProtectVirtualMemory: Direct from: 0x7FF7EBCD8590
                      Source: C:\Users\user\Pictures\GGlApx2WKpOBsEMsKqplE6Uf.exeNtProtectVirtualMemory: Direct from: 0x7FF6A13EC57D
                      Source: C:\Users\user\Pictures\3wiDjAuNAMEeKc2Sp8AJvkHN.exeNtProtectVirtualMemory: Direct from: 0x7FF7892D05F0
                      Source: C:\Users\user\Pictures\kBnX25PRDA3FRCf96qRj6qpV.exeNtProtectVirtualMemory: Direct from: 0x7FF7EBB57E47
                      Source: C:\Users\user\Pictures\3wiDjAuNAMEeKc2Sp8AJvkHN.exeNtProtectVirtualMemory: Direct from: 0x7FF789709CB4
                      Source: C:\Users\user\Pictures\GGlApx2WKpOBsEMsKqplE6Uf.exeNtProtectVirtualMemory: Direct from: 0x7FF6A13F9CB4
                      Source: C:\Users\user\Pictures\3wiDjAuNAMEeKc2Sp8AJvkHN.exeNtProtectVirtualMemory: Direct from: 0x7FF7893E6A11
                      Source: C:\Users\user\Pictures\GGlApx2WKpOBsEMsKqplE6Uf.exeNtProtectVirtualMemory: Direct from: 0x7FF6A0FC58C1
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeNtProtectVirtualMemory: Direct from: 0x7FF79CF705F0
                      Source: C:\Users\user\Pictures\3wiDjAuNAMEeKc2Sp8AJvkHN.exeNtProtectVirtualMemory: Direct from: 0x7FF7896F8F28
                      Source: C:\Users\user\Pictures\kBnX25PRDA3FRCf96qRj6qpV.exeNtProtectVirtualMemory: Direct from: 0x7FF7EBF78F28
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeNtProtectVirtualMemory: Direct from: 0x7FF79D39C57D
                      Source: C:\Users\user\Pictures\3wiDjAuNAMEeKc2Sp8AJvkHN.exeNtProtectVirtualMemory: Direct from: 0x7FF7892E0A0A
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeNtProtectVirtualMemory: Direct from: 0x7FF79CF80A0A
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeNtProtectVirtualMemory: Direct from: 0x7FF79D089BDF
                      Source: C:\Users\user\Pictures\GGlApx2WKpOBsEMsKqplE6Uf.exeNtProtectVirtualMemory: Direct from: 0x7FF6A102F343
                      Source: C:\Users\user\Pictures\GGlApx2WKpOBsEMsKqplE6Uf.exeNtProtectVirtualMemory: Direct from: 0x7FF6A0FC4E7C
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeNtProtectVirtualMemory: Direct from: 0x7FF79CF8090D
                      Source: C:\Users\user\Pictures\GGlApx2WKpOBsEMsKqplE6Uf.exeNtProtectVirtualMemory: Direct from: 0x7FF6A103B123
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeNtProtectVirtualMemory: Direct from: 0x7FF79CFE3EA8
                      Source: C:\Users\user\Pictures\GGlApx2WKpOBsEMsKqplE6Uf.exeNtProtectVirtualMemory: Direct from: 0x7FF6A13FE07F
                      Source: C:\Users\user\Pictures\kBnX25PRDA3FRCf96qRj6qpV.exeNtProtectVirtualMemory: Direct from: 0x7FF7EBB60A0A
                      Source: C:\Users\user\Pictures\GGlApx2WKpOBsEMsKqplE6Uf.exeNtProtectVirtualMemory: Direct from: 0x7FF6A1037174
                      Source: C:\Users\user\Pictures\kBnX25PRDA3FRCf96qRj6qpV.exeNtProtectVirtualMemory: Direct from: 0x7FF7EBBAC134
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeNtProtectVirtualMemory: Direct from: 0x7FF79D3AE07F
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeNtProtectVirtualMemory: Direct from: 0x7FF79CF649A6
                      Source: C:\Users\user\Pictures\GGlApx2WKpOBsEMsKqplE6Uf.exeNtProtectVirtualMemory: Direct from: 0x7FF6A10404B0
                      Source: C:\Users\user\Pictures\3wiDjAuNAMEeKc2Sp8AJvkHN.exeNtProtectVirtualMemory: Direct from: 0x7FF789343EA8
                      Source: C:\Users\user\Pictures\3wiDjAuNAMEeKc2Sp8AJvkHN.exeNtProtectVirtualMemory: Direct from: 0x7FF789312DC6
                      Source: C:\Users\user\Pictures\kBnX25PRDA3FRCf96qRj6qpV.exeNtProtectVirtualMemory: Direct from: 0x7FF7EBB505F0
                      Source: C:\Users\user\Pictures\kBnX25PRDA3FRCf96qRj6qpV.exeNtProtectVirtualMemory: Direct from: 0x7FF7EBBC3EA8
                      Source: C:\Users\user\Pictures\kBnX25PRDA3FRCf96qRj6qpV.exeNtProtectVirtualMemory: Direct from: 0x7FF7EBB92DC6
                      Injects a PE file into a foreign processes
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000 value starts with: 4D5AJump to behavior
                      Sample uses process hollowing technique
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base address: 400000Jump to behavior
                      Writes to foreign memory regions
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 402000Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 404000Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 406000Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: F8E008Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exe" -ForceJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exe "C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exe" Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Users\user\Pictures\JIsbjewlnghreiCB15kllzTk.exe "C:\Users\user\Pictures\JIsbjewlnghreiCB15kllzTk.exe" Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Users\user\Pictures\7ifrWkUACu1QmnINWqs0eu9h.exe "C:\Users\user\Pictures\7ifrWkUACu1QmnINWqs0eu9h.exe" Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Users\user\Pictures\T2RIU3FpH6dczIGTG32vuvvE.exe "C:\Users\user\Pictures\T2RIU3FpH6dczIGTG32vuvvE.exe" --silent --allusers=0Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exe "C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exe" Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exe "C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exe" Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Users\user\Pictures\QHuPF3k4no0JL9DdGqDYtkCG.exe "C:\Users\user\Pictures\QHuPF3k4no0JL9DdGqDYtkCG.exe" Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Users\user\Pictures\Yz2gr4IqEnTCH1g642bo4hrO.exe "C:\Users\user\Pictures\Yz2gr4IqEnTCH1g642bo4hrO.exe" Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Users\user\Pictures\3wiDjAuNAMEeKc2Sp8AJvkHN.exe "C:\Users\user\Pictures\3wiDjAuNAMEeKc2Sp8AJvkHN.exe" Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Users\user\Pictures\syLcQZGPHHUJ3M0wbg0XxQZf.exe "C:\Users\user\Pictures\syLcQZGPHHUJ3M0wbg0XxQZf.exe" --silent --allusers=0Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Users\user\Pictures\wjaGPzkDQjpdcbjBR9AwSFKW.exe "C:\Users\user\Pictures\wjaGPzkDQjpdcbjBR9AwSFKW.exe" Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Users\user\Pictures\SU1be6oqYDorLkUc1l6IPPFB.exe "C:\Users\user\Pictures\SU1be6oqYDorLkUc1l6IPPFB.exe" Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Users\user\Pictures\Vh2fqCjm9jPtwuJrcfbbwxLj.exe "C:\Users\user\Pictures\Vh2fqCjm9jPtwuJrcfbbwxLj.exe" Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Users\user\Pictures\PqdYh9kiVSkf3FjC9RDfcS2e.exe "C:\Users\user\Pictures\PqdYh9kiVSkf3FjC9RDfcS2e.exe" Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Users\user\Pictures\0XytwVHS3WE9jtGuuRid6GiP.exe "C:\Users\user\Pictures\0XytwVHS3WE9jtGuuRid6GiP.exe" --silent --allusers=0Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Users\user\Pictures\mm4Q31XfpYKjbn6ceSwXhER9.exe "C:\Users\user\Pictures\mm4Q31XfpYKjbn6ceSwXhER9.exe" Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Users\user\Pictures\GGlApx2WKpOBsEMsKqplE6Uf.exe "C:\Users\user\Pictures\GGlApx2WKpOBsEMsKqplE6Uf.exe" Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Users\user\Pictures\1HakjlIwxygCinOPkQfhRxwL.exe "C:\Users\user\Pictures\1HakjlIwxygCinOPkQfhRxwL.exe" Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Users\user\Pictures\F6G6Y5cEUOHQw9dTwu4nNoIO.exe "C:\Users\user\Pictures\F6G6Y5cEUOHQw9dTwu4nNoIO.exe" Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Users\user\Pictures\kuRSiZPmKhbW1guMqYXCvrAu.exe "C:\Users\user\Pictures\kuRSiZPmKhbW1guMqYXCvrAu.exe" --silent --allusers=0Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Users\user\Pictures\kBnX25PRDA3FRCf96qRj6qpV.exe "C:\Users\user\Pictures\kBnX25PRDA3FRCf96qRj6qpV.exe" Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 208 -p 7412 -ip 7412
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7412 -s 1156
                      Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                      Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeProcess created: unknown unknown
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeProcess created: unknown unknown
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeProcess created: unknown unknown
                      Source: C:\Users\user\Pictures\T2RIU3FpH6dczIGTG32vuvvE.exeProcess created: C:\Users\user\Pictures\T2RIU3FpH6dczIGTG32vuvvE.exe C:\Users\user\Pictures\T2RIU3FpH6dczIGTG32vuvvE.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x298,0x29c,0x2a0,0x274,0x2bc,0x6c60e1d0,0x6c60e1dc,0x6c60e1e8
                      Source: C:\Users\user\Pictures\syLcQZGPHHUJ3M0wbg0XxQZf.exeProcess created: C:\Users\user\Pictures\syLcQZGPHHUJ3M0wbg0XxQZf.exe C:\Users\user\Pictures\syLcQZGPHHUJ3M0wbg0XxQZf.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x298,0x29c,0x2a0,0x274,0x2a4,0x6bf8e1d0,0x6bf8e1dc,0x6bf8e1e8
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\oE07FMGKijbqRxoSOEfcVNr4.exe "C:\Users\user\AppData\Local\oE07FMGKijbqRxoSOEfcVNr4.exe"
                      Source: C:\Users\user\Pictures\0XytwVHS3WE9jtGuuRid6GiP.exeProcess created: C:\Users\user\Pictures\0XytwVHS3WE9jtGuuRid6GiP.exe C:\Users\user\Pictures\0XytwVHS3WE9jtGuuRid6GiP.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x29c,0x2a0,0x2a4,0x278,0x2a8,0x6b0de1d0,0x6b0de1dc,0x6b0de1e8
                      Source: C:\Users\user\Pictures\kuRSiZPmKhbW1guMqYXCvrAu.exeProcess created: unknown unknown
                      Source: C:\Users\user\AppData\Local\Temp\7zS2746.tmp\Install.exeProcess created: unknown unknown
                      Source: C:\Users\user\AppData\Local\Temp\7zS2746.tmp\Install.exeProcess created: unknown unknown
                      Source: C:\Users\user\Pictures\T2RIU3FpH6dczIGTG32vuvvE.exeProcess created: C:\Users\user\Pictures\T2RIU3FpH6dczIGTG32vuvvE.exe c:\users\user\pictures\t2riu3fph6dczigtg32vuvve.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=c:\users\user\appdata\roaming\opera software\opera stable\crash reports" "--crash-count-file=c:\users\user\appdata\roaming\opera software\opera stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=stable --annotation=plat=win32 --annotation=prod=operadesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x298,0x29c,0x2a0,0x274,0x2bc,0x6c60e1d0,0x6c60e1dc,0x6c60e1e8
                      Source: C:\Users\user\Pictures\syLcQZGPHHUJ3M0wbg0XxQZf.exeProcess created: C:\Users\user\Pictures\syLcQZGPHHUJ3M0wbg0XxQZf.exe c:\users\user\pictures\sylcqzgphhuj3m0wbg0xxqzf.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=c:\users\user\appdata\roaming\opera software\opera stable\crash reports" "--crash-count-file=c:\users\user\appdata\roaming\opera software\opera stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=stable --annotation=plat=win32 --annotation=prod=operadesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x298,0x29c,0x2a0,0x274,0x2a4,0x6bf8e1d0,0x6bf8e1dc,0x6bf8e1e8
                      Source: C:\Users\user\Pictures\0XytwVHS3WE9jtGuuRid6GiP.exeProcess created: C:\Users\user\Pictures\0XytwVHS3WE9jtGuuRid6GiP.exe c:\users\user\pictures\0xytwvhs3we9jtguurid6gip.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=c:\users\user\appdata\roaming\opera software\opera stable\crash reports" "--crash-count-file=c:\users\user\appdata\roaming\opera software\opera stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=stable --annotation=plat=win32 --annotation=prod=operadesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x29c,0x2a0,0x2a4,0x278,0x2a8,0x6b0de1d0,0x6b0de1dc,0x6b0de1e8
                      Source: C:\Users\user\Pictures\T2RIU3FpH6dczIGTG32vuvvE.exeProcess created: C:\Users\user\Pictures\T2RIU3FpH6dczIGTG32vuvvE.exe c:\users\user\pictures\t2riu3fph6dczigtg32vuvve.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=c:\users\user\appdata\roaming\opera software\opera stable\crash reports" "--crash-count-file=c:\users\user\appdata\roaming\opera software\opera stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=stable --annotation=plat=win32 --annotation=prod=operadesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x298,0x29c,0x2a0,0x274,0x2bc,0x6c60e1d0,0x6c60e1dc,0x6c60e1e8
                      Source: C:\Users\user\Pictures\syLcQZGPHHUJ3M0wbg0XxQZf.exeProcess created: C:\Users\user\Pictures\syLcQZGPHHUJ3M0wbg0XxQZf.exe c:\users\user\pictures\sylcqzgphhuj3m0wbg0xxqzf.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=c:\users\user\appdata\roaming\opera software\opera stable\crash reports" "--crash-count-file=c:\users\user\appdata\roaming\opera software\opera stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=stable --annotation=plat=win32 --annotation=prod=operadesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x298,0x29c,0x2a0,0x274,0x2a4,0x6bf8e1d0,0x6bf8e1dc,0x6bf8e1e8
                      Source: C:\Users\user\Pictures\0XytwVHS3WE9jtGuuRid6GiP.exeProcess created: C:\Users\user\Pictures\0XytwVHS3WE9jtGuuRid6GiP.exe c:\users\user\pictures\0xytwvhs3we9jtguurid6gip.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=c:\users\user\appdata\roaming\opera software\opera stable\crash reports" "--crash-count-file=c:\users\user\appdata\roaming\opera software\opera stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=stable --annotation=plat=win32 --annotation=prod=operadesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x29c,0x2a0,0x2a4,0x278,0x2a8,0x6b0de1d0,0x6b0de1dc,0x6b0de1e8
                      Source: T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000E.00000002.3399654118.000000006BA33000.00000002.00000001.01000000.0000001D.sdmpBinary or memory string: k..\..\opera\desktop\chrome_imports\chrome\browser\win\ui_automation_util.ccGetCachedBstrValue property is not a BSTR: GetCachedInt32Value property is not an I4: X64Cannot get the size of file version infoNo file version in the package\StringFileInfo\000004B0\ProductVersionNo product version value in the packageReceived an invalid version: \StringFileInfo\000004B0\ContinuousVersionReceived an invalid continuous build number: Cannot acquire internal version from the full version: \StringFileInfo\000004B0\StreamNo stream value in the packageCannot get exe output: version..\..\opera\desktop\windows\installer\common\file_version_utils_impl.ccInvalid version from exe: Cannot get exe output: streamCannot get app output Failed to run the elevated process: Failed wait for the elevated process: Unexpected result when waiting for elevated process: Shortcut element - no correct interface...\..\opera\desktop\windows\installer\common\pin_automator.ccDoneCannot get native menu handle.Cannot get desktop rect.Cannot find pin menu element.No rectangleCould not activate the menu item.ProgmanSysListView324
                      Source: T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000C.00000002.3392234781.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000E.00000000.1726890164.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000002.3407084581.00000000000CA000.00000002.00000001.01000000.00000012.sdmpBinary or memory string: ..\..\opera\desktop\chrome_imports\chrome\browser\win\ui_automation_util.ccGetCachedBstrValue property is not a BSTR: GetCachedInt32Value property is not an I4: X64Cannot get the size of file version infoNo file version in the package\StringFileInfo\000004B0\ProductVersionNo product version value in the packageReceived an invalid version: \StringFileInfo\000004B0\ContinuousVersionReceived an invalid continuous build number: Cannot acquire internal version from the full version: \StringFileInfo\000004B0\StreamNo stream value in the packageCannot get exe output: version..\..\opera\desktop\windows\installer\common\file_version_utils_impl.ccInvalid version from exe: Cannot get exe output: streamCannot get app output Failed to run the elevated process: Failed wait for the elevated process: Unexpected result when waiting for elevated process: Shortcut element - no correct interface...\..\opera\desktop\windows\installer\common\pin_automator.ccDoneCannot get native menu handle.Cannot get desktop rect.Cannot find pin menu element.No rectangleCould not activate the menu item.ProgmanSysListView324
                      Source: JPl4ZLOvy3fY5RSXGk5s9Gl5.exe, 00000008.00000003.2351558121.0000000006365000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TrayNotifyWndShell_TrayWnd
                      Source: JPl4ZLOvy3fY5RSXGk5s9Gl5.exe, 00000008.00000003.2351558121.0000000006365000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Shell_TrayWndtooltips_class32SVWU
                      Source: JPl4ZLOvy3fY5RSXGk5s9Gl5.exe, 00000008.00000003.2351558121.0000000006365000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Shell_TrayWndtooltips_class32S
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCode function: 8_2_00409D1B cpuid 8_2_00409D1B
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,8_2_0042086B
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCode function: EnumSystemLocalesW,8_2_004170F1
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCode function: EnumSystemLocalesW,8_2_004201F6
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCode function: EnumSystemLocalesW,8_2_004201AB
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCode function: EnumSystemLocalesW,8_2_00420291
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,8_2_0042031E
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCode function: GetLocaleInfoW,8_2_004174E4
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCode function: GetLocaleInfoW,8_2_0042056E
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,8_2_00420697
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,8_2_0041FF33
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCode function: GetLocaleInfoW,8_2_0042079E
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCode function: EnumSystemLocalesW,8_2_049C04F8
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCode function: EnumSystemLocalesW,8_2_049C0412
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCode function: EnumSystemLocalesW,8_2_049C045D
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCode function: GetLocaleInfoW,8_2_049C07D5
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCode function: GetLocaleInfoW,8_2_049C07D3
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCode function: GetLocaleInfoW,8_2_049B774B
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,8_2_049C08FE
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,8_2_049C019A
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,8_2_049C0AD2
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCode function: GetLocaleInfoW,8_2_049C0A05
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCode function: EnumSystemLocalesW,8_2_049B7358
                      Source: C:\Users\user\Pictures\T2RIU3FpH6dczIGTG32vuvvE.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,14_2_6B9C83B7
                      Source: C:\Users\user\Pictures\T2RIU3FpH6dczIGTG32vuvvE.exeCode function: EnumSystemLocalesW,14_2_6B9C43ED
                      Source: C:\Users\user\Pictures\T2RIU3FpH6dczIGTG32vuvvE.exeCode function: GetLocaleInfoW,14_2_6B9C8310
                      Source: C:\Users\user\Pictures\T2RIU3FpH6dczIGTG32vuvvE.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,14_2_6B9C7F30
                      Source: C:\Users\user\Pictures\T2RIU3FpH6dczIGTG32vuvvE.exeCode function: EnumSystemLocalesW,14_2_6B9C7E88
                      Source: C:\Users\user\Pictures\T2RIU3FpH6dczIGTG32vuvvE.exeCode function: GetLocaleInfoW,14_2_6B9C3EAC
                      Source: C:\Users\user\Pictures\T2RIU3FpH6dczIGTG32vuvvE.exeCode function: EnumSystemLocalesW,14_2_6B9C82C5
                      Source: C:\Users\user\Pictures\T2RIU3FpH6dczIGTG32vuvvE.exeCode function: EnumSystemLocalesW,14_2_6B9C8183
                      Source: C:\Users\user\Pictures\T2RIU3FpH6dczIGTG32vuvvE.exeCode function: GetLocaleInfoW,14_2_6B9C81F0
                      Source: C:\Users\user\Pictures\T2RIU3FpH6dczIGTG32vuvvE.exeCode function: GetLocaleInfoW,14_2_6B9C84BD
                      Source: C:\Users\user\Pictures\T2RIU3FpH6dczIGTG32vuvvE.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,14_2_6B9C7C37
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,15_2_0042086B
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCode function: EnumSystemLocalesW,15_2_004170F1
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCode function: EnumSystemLocalesW,15_2_004201F6
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCode function: EnumSystemLocalesW,15_2_004201AB
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCode function: EnumSystemLocalesW,15_2_00420291
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,15_2_0042031E
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCode function: GetLocaleInfoW,15_2_004174E4
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCode function: GetLocaleInfoW,15_2_0042056E
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,15_2_00420697
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,15_2_0041FF33
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCode function: GetLocaleInfoW,15_2_0042079E
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,15_2_02EF0AD2
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCode function: GetLocaleInfoW,15_2_02EF0A05
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCode function: EnumSystemLocalesW,15_2_02EE7358
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,15_2_02EF08FE
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,15_2_02EF019A
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCode function: GetLocaleInfoW,15_2_02EF07D5
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCode function: GetLocaleInfoW,15_2_02EF07D3
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCode function: GetLocaleInfoW,15_2_02EE774B
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCode function: EnumSystemLocalesW,15_2_02EF04F8
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCode function: EnumSystemLocalesW,15_2_02EF045D
                      Source: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exeCode function: EnumSystemLocalesW,15_2_02EF0412
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exe VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exeCode function: 8_2_0040996D GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,8_2_0040996D
                      Source: C:\Users\user\Pictures\wjaGPzkDQjpdcbjBR9AwSFKW.exeCode function: 22_2_00414B04 EntryPoint,GetVersion,GetCommandLineA,GetStartupInfoA,GetModuleHandleA,22_2_00414B04
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Lowering of HIPS / PFW / Operating System Security Settings

                      barindex
                      Disable Windows Defender real time protection (registry)
                      Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{C2D6C799-1878-4A10-AE0B-BB0304219A47}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\ExclusionsRegistry value created: Exclusions_Extensions 1
                      Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{C2D6C799-1878-4A10-AE0B-BB0304219A47}Machine\SOFTWARE\Policies\Microsoft\Windows DefenderRegistry value created: DisableAntiSpyware 1
                      Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{C2D6C799-1878-4A10-AE0B-BB0304219A47}Machine\SOFTWARE\Policies\Microsoft\Windows DefenderRegistry value created: DisableRoutinelyTakingAction 1
                      Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{C2D6C799-1878-4A10-AE0B-BB0304219A47}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableBehaviorMonitoring 1
                      Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{C2D6C799-1878-4A10-AE0B-BB0304219A47}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableOnAccessProtection 1
                      Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{C2D6C799-1878-4A10-AE0B-BB0304219A47}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableScanOnRealtimeEnable 1
                      Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{C2D6C799-1878-4A10-AE0B-BB0304219A47}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableRealtimeMonitoring 1
                      Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{C2D6C799-1878-4A10-AE0B-BB0304219A47}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableIOAVProtection 1
                      Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{C2D6C799-1878-4A10-AE0B-BB0304219A47}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableRawWriteNotification 1
                      Disables UAC (registry)
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableLUAJump to behavior
                      Exclude list of file types from scheduled, custom, and real-time scanning
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeRegistry value created: Exclusions_Extensions 1
                      Modifies Group Policy settings
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeFile written: C:\Windows\System32\GroupPolicy\gpt.ini
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : Select * From AntiVirusProduct

                      Stealing of Sensitive Information

                      barindex
                      Yara detected Glupteba
                      Source: Yara matchFile source: 24.2.Vh2fqCjm9jPtwuJrcfbbwxLj.exe.400000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.Yz2gr4IqEnTCH1g642bo4hrO.exe.400000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.JIsbjewlnghreiCB15kllzTk.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000011.00000002.3312662666.0000000000843000.00000040.00000001.01000000.0000000F.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.3312022979.0000000000843000.00000040.00000001.01000000.00000008.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000002.3312827601.0000000000843000.00000040.00000001.01000000.00000015.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: JIsbjewlnghreiCB15kllzTk.exe PID: 7992, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Yz2gr4IqEnTCH1g642bo4hrO.exe PID: 7016, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Vh2fqCjm9jPtwuJrcfbbwxLj.exe PID: 7660, type: MEMORYSTR
                      Yara detected PureLog Stealer
                      Source: Yara matchFile source: C:\Users\user\Documents\SimpleAdobe\iTHBJLcts9pEuoqVNgU3srbu.exe, type: DROPPED
                      Yara detected zgRAT
                      Source: Yara matchFile source: C:\Users\user\Documents\SimpleAdobe\iTHBJLcts9pEuoqVNgU3srbu.exe, type: DROPPED
                      Tries to harvest and steal browser information (history, passwords, etc)
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                      Source: C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exeFile opened: C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Login Data

                      Remote Access Functionality

                      barindex
                      Yara detected Glupteba
                      Source: Yara matchFile source: 24.2.Vh2fqCjm9jPtwuJrcfbbwxLj.exe.400000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.Yz2gr4IqEnTCH1g642bo4hrO.exe.400000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.JIsbjewlnghreiCB15kllzTk.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000011.00000002.3312662666.0000000000843000.00000040.00000001.01000000.0000000F.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.3312022979.0000000000843000.00000040.00000001.01000000.00000008.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000002.3312827601.0000000000843000.00000040.00000001.01000000.00000015.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: JIsbjewlnghreiCB15kllzTk.exe PID: 7992, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Yz2gr4IqEnTCH1g642bo4hrO.exe PID: 7016, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Vh2fqCjm9jPtwuJrcfbbwxLj.exe PID: 7660, type: MEMORYSTR
                      Yara detected PureLog Stealer
                      Source: Yara matchFile source: C:\Users\user\Documents\SimpleAdobe\iTHBJLcts9pEuoqVNgU3srbu.exe, type: DROPPED
                      Yara detected zgRAT
                      Source: Yara matchFile source: C:\Users\user\Documents\SimpleAdobe\iTHBJLcts9pEuoqVNgU3srbu.exe, type: DROPPED

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity Information11
                      Scripting                      		Valid Accounts2
                      Windows Management Instrumentation                      		11
                      Scripting                      		1
                      Abuse Elevation Control Mechanism                      		71
                      Disable or Modify Tools                      		1
                      OS Credential Dumping                      		1
                      System Time Discovery                      		Remote Services1
                      Archive Collected Data                      		1
                      Ingress Tool Transfer                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault Accounts2
                      Native API                      		1
                      DLL Side-Loading                      		1
                      DLL Side-Loading                      		1
                      Deobfuscate/Decode Files or Information                      		LSASS Memory4
                      File and Directory Discovery                      		Remote Desktop Protocol1
                      Data from Local System                      		1
                      Encrypted Channel                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain Accounts1
                      Shared Modules                      		1
                      Windows Service                      		1
                      Bypass User Account Control                      		1
                      Abuse Elevation Control Mechanism                      		Security Account Manager45
                      System Information Discovery                      		SMB/Windows Admin SharesData from Network Shared Drive1
                      Proxy                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal Accounts13
                      Command and Scripting Interpreter                      		2
                      Registry Run Keys / Startup Folder                      		1
                      Windows Service                      		2
                      Obfuscated Files or Information                      		NTDS261
                      Security Software Discovery                      		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script412
                      Process Injection                      		3
                      Software Packing                      		LSA Secrets61
                      Virtualization/Sandbox Evasion                      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts2
                      Registry Run Keys / Startup Folder                      		1
                      DLL Side-Loading                      		Cached Domain Credentials3
                      Process Discovery                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                      Bypass User Account Control                      		DCSync1
                      Application Window Discovery                      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
                      Masquerading                      		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt61
                      Virtualization/Sandbox Evasion                      		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                      IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron412
                      Process Injection                      		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 1427735 Sample: SecuriteInfo.com.Win64.Cryp... Startdate: 18/04/2024 Architecture: WINDOWS Score: 100 120 Malicious sample detected (through community Yara rule) 2->120 122 Antivirus detection for dropped file 2->122 124 Multi AV Scanner detection for dropped file 2->124 126 14 other signatures 2->126 8 SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exe 1 3 2->8         started        11 cmd.exe 2->11         started        13 svchost.exe 2->13         started        15 3 other processes 2->15 process3 signatures4 152 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->152 154 Writes to foreign memory regions 8->154 156 Allocates memory in foreign processes 8->156 158 4 other signatures 8->158 17 CasPol.exe 15 168 8->17         started        22 powershell.exe 23 8->22         started        24 WerFault.exe 8->24         started        26 CasPol.exe 8->26         started        28 conhost.exe 11->28         started        30 oE07FMGKijbqRxoSOEfcVNr4.exe 11->30         started        32 WerFault.exe 13->32         started        process5 dnsIp6 98 5.42.64.17 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 17->98 100 107.167.110.211 OPERASOFTWAREUS United States 17->100 104 9 other IPs or domains 17->104 72 C:\Users\...\zMgiNzEE9vHMTa7pUx4El30p.exe, PE32+ 17->72 dropped 74 C:\Users\...\z2yKWzT0GXgmaQHim8qSwTt8.exe, PE32 17->74 dropped 76 C:\Users\...\ySa0tmdKXLMzZNFqxzPk3yl0.exe, PE32 17->76 dropped 78 177 other malicious files 17->78 dropped 128 Drops script or batch files to the startup folder 17->128 130 Creates HTML files with .exe extension (expired dropper behavior) 17->130 34 KI5P6OyhHMwNaNA4w0xtd3UY.exe 17->34         started        39 wjaGPzkDQjpdcbjBR9AwSFKW.exe 17->39         started        41 JPl4ZLOvy3fY5RSXGk5s9Gl5.exe 17->41         started        47 18 other processes 17->47 132 Loading BitLocker PowerShell Module 22->132 43 conhost.exe 22->43         started        45 WmiPrvSE.exe 22->45         started        102 20.189.173.21 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 24->102 file7 signatures8 process9 dnsIp10 106 93.186.225.194 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 34->106 108 95.142.206.1 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 34->108 114 19 other IPs or domains 34->114 80 C:\Users\...\zfmWdTyj1A0x7CDHTSCFc6P6.exe, PE32 34->80 dropped 82 C:\Users\...\xFUB9mqMmDXHB6bYEudfe3bz.exe, PE32 34->82 dropped 84 C:\Users\...\tk993DcPKxGC0yxEJOpWA4Uq.exe, PE32 34->84 dropped 92 21 other malicious files 34->92 dropped 134 Drops PE files to the document folder of the user 34->134 136 Creates HTML files with .exe extension (expired dropper behavior) 34->136 138 Disables Windows Defender (deletes autostart) 34->138 150 5 other signatures 34->150 94 6 other malicious files 39->94 dropped 49 Install.exe 39->49         started        116 3 other IPs or domains 41->116 86 C:\Users\user\AppData\Local\Temp\u63s.1.exe, PE32 41->86 dropped 88 C:\Users\user\AppData\Local\Temp\u63s.0.exe, PE32 41->88 dropped 90 C:\Users\user\...\serversystemNCQ_x64.exe, PE32 41->90 dropped 140 Detected unpacking (changes PE section rights) 41->140 142 Detected unpacking (overwrites its own PE header) 41->142 110 107.167.110.218 OPERASOFTWAREUS United States 47->110 112 107.167.125.189 OPERASOFTWAREUS United States 47->112 118 3 other IPs or domains 47->118 96 12 other malicious files 47->96 dropped 144 Found Tor onion address 47->144 146 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 47->146 148 Found direct / indirect Syscall (likely to bypass EDR) 47->148 52 T2RIU3FpH6dczIGTG32vuvvE.exe 47->52         started        54 syLcQZGPHHUJ3M0wbg0XxQZf.exe 47->54         started        56 T2RIU3FpH6dczIGTG32vuvvE.exe 47->56         started        58 2 other processes 47->58 file11 signatures12 process13 file14 60 C:\Users\user\AppData\Local\...\lIVrBSt.exe, PE32 49->60 dropped 62 Opera_installer_2404180036143868168.dll, PE32 52->62 dropped 64 Opera_installer_2404180036337438040.dll, PE32 54->64 dropped 66 Opera_installer_2404180036248045740.dll, PE32 56->66 dropped 68 Opera_installer_2404180036333922764.dll, PE32 58->68 dropped 70 Opera_installer_2404180036226544476.dll, PE32 58->70 dropped

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exe24%ReversingLabsWin64.Trojan.Operaloader
                      SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exe21%VirustotalBrowse

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Local\Ckxihb2NQynZLzb7wQqDjQv3.exe100%AviraHEUR/AGEN.1310450
                      C:\Users\user\AppData\Local\D0v59fae1RRLyzPSbsQoGGZK.exe100%AviraTR/Crypt.EPACK.Gen2
                      C:\Users\user\AppData\Local\A6zIGniAZ7NEfPoGNA99xdJC.exe100%AviraTR/Crypt.EPACK.Gen2
                      C:\Users\user\AppData\Local\KZrOTs6FcYbq3nj2hpYsaJil.exe100%AviraTR/Crypt.EPACK.Gen2
                      C:\Users\user\AppData\Local\1sULHHpeqbgWxmRBkrwHQ2Wq.exe100%AviraTR/Crypt.EPACK.Gen2
                      C:\Users\user\AppData\Local\7GonYrcCQJRZWxpQLYX649aX.exe100%AviraTR/Crypt.EPACK.Gen2
                      C:\Users\user\AppData\Local\5CSwXytovRGWzicTtxKeyiOA.exe100%AviraTR/Crypt.EPACK.Gen2
                      C:\Users\user\AppData\Local\7cokQoA6j0WDpV84Xp72tQca.exe100%AviraTR/Crypt.EPACK.Gen2
                      C:\Users\user\AppData\Local\AO0lQiXja0SJ1xVYKQpJ0RgU.exe100%AviraTR/Crypt.EPACK.Gen2
                      C:\Users\user\AppData\Local\4eN6JMBulbZWTUqm8bHwZ2Cg.exe100%AviraTR/Crypt.EPACK.Gen2
                      C:\Users\user\AppData\Local\Ckxihb2NQynZLzb7wQqDjQv3.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\timeSync[1].exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\setup294[1].exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\inte[1].exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\D0v59fae1RRLyzPSbsQoGGZK.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\A6zIGniAZ7NEfPoGNA99xdJC.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\KZrOTs6FcYbq3nj2hpYsaJil.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\1sULHHpeqbgWxmRBkrwHQ2Wq.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\7GonYrcCQJRZWxpQLYX649aX.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\5CSwXytovRGWzicTtxKeyiOA.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\7cokQoA6j0WDpV84Xp72tQca.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\AO0lQiXja0SJ1xVYKQpJ0RgU.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\4eN6JMBulbZWTUqm8bHwZ2Cg.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\1sULHHpeqbgWxmRBkrwHQ2Wq.exe43%VirustotalBrowse
                      C:\Users\user\AppData\Local\4eN6JMBulbZWTUqm8bHwZ2Cg.exe43%VirustotalBrowse
                      C:\Users\user\AppData\Local\5CSwXytovRGWzicTtxKeyiOA.exe43%VirustotalBrowse
                      C:\Users\user\AppData\Local\7GonYrcCQJRZWxpQLYX649aX.exe43%VirustotalBrowse
                      C:\Users\user\AppData\Local\7cokQoA6j0WDpV84Xp72tQca.exe43%VirustotalBrowse
                      C:\Users\user\AppData\Local\A6zIGniAZ7NEfPoGNA99xdJC.exe43%VirustotalBrowse
                      C:\Users\user\AppData\Local\AO0lQiXja0SJ1xVYKQpJ0RgU.exe43%VirustotalBrowse
                      C:\Users\user\AppData\Local\Ckxihb2NQynZLzb7wQqDjQv3.exe44%VirustotalBrowse
                      C:\Users\user\AppData\Local\D0v59fae1RRLyzPSbsQoGGZK.exe43%VirustotalBrowse
                      C:\Users\user\AppData\Local\GNcg3yiDrmzw07ZdoxfNbs1v.exe61%ReversingLabsWin64.Trojan.Operaloader
                      C:\Users\user\AppData\Local\GNcg3yiDrmzw07ZdoxfNbs1v.exe52%VirustotalBrowse
                      C:\Users\user\AppData\Local\KZrOTs6FcYbq3nj2hpYsaJil.exe43%VirustotalBrowse
                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\inte[1].exe48%VirustotalBrowse
                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\timeSync[1].exe42%ReversingLabsWin32.Trojan.Generic
                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\timeSync[1].exe47%VirustotalBrowse

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      No Antivirus matches

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://vk.com/NuqKI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2181344004.000001C315E69000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2181878238.000001C315E6A000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2179788596.000001C315E6A000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2179158263.000001C315E69000.00000004.00000020.00020000.00000000.sdmpfalse
                        http://5.42.66.10/download/th/retail.phpsJ(KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2229181999.000001C315EA2000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2182784722.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2241367516.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2198735771.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2181878238.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2215403785.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2218205829.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2123609804.000001C315EBB000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2184570072.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2179158263.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2220046203.000001C315EA2000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2179788596.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2174393508.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2181344004.000001C315EA4000.00000004.00000020.00020000.00000000.sdmpfalse
                          https://meet.crazyfigs.top/style/060.exeVKI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2136505238.000001C315F49000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2152191829.000001C315F49000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2164068721.000001C315F4A000.00000004.00000020.00020000.00000000.sdmpfalse
                            https://legal.opera.com/termsT2RIU3FpH6dczIGTG32vuvvE.exe, 0000000C.00000002.3392234781.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000E.00000000.1726890164.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000002.3407084581.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000001.1826449150.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000002.3322264502.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000001.2105606585.00000000000CA000.00000002.00000001.01000000.00000012.sdmpfalse
                              https://sun6-21.userapi.com/c236331/u5294803/docs/d24/3cad94b79c70/imgdrive_2_1.bmp?extra=KSt_51f-h8KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2198735771.000001C315E8A000.00000004.00000020.00020000.00000000.sdmpfalse
                                https://carthewasher.net/bfdb39976dca392638e6450f1175fa96/cad54ba5b01423b1af8ec10ab5719d97.exeKI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2174393508.000001C315E8B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2198735771.000001C315E64000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2174393508.000001C315E64000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2215403785.000001C315E64000.00000004.00000020.00020000.00000000.sdmpfalse
                                  https://help.opera.com/latest/T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000C.00000002.3392234781.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000E.00000000.1726890164.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000E.00000002.3399654118.000000006BA33000.00000002.00000001.01000000.0000001D.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000002.3407084581.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000001.1826449150.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000002.3322264502.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000001.2105606585.00000000000CA000.00000002.00000001.01000000.00000012.sdmpfalse
                                    https://vk.com:80/doc5294803_668661395?hash=uQQoAVY7lWMuchlYkCFbK0P2SVazuAiimzHIh07ASrs&dl=WO5eZhu0JKI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2123609804.000001C315EC3000.00000004.00000020.00020000.00000000.sdmpfalse
                                      https://policies.google.com/terms;T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000C.00000002.3392234781.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000E.00000000.1726890164.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000002.3407084581.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000001.1826449150.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000002.3322264502.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000001.2105606585.00000000000CA000.00000002.00000001.01000000.00000012.sdmpfalse
                                        https://papi.vk.com/pushsse/ruimKI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2250598835.000001C31606B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2214896326.000001C316025000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2201459715.000001C315E57000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216252408.000001C316025000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2198566834.000001C316079000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216951657.000001C316056000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219601594.000001C316025000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216252408.000001C316055000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C316001000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216913004.000001C31608C000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2198566834.000001C316056000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2196034426.000001C316055000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2224912742.000001C316273000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216252408.000001C31608B000.00000004.00000020.00020000.00000000.sdmpfalse
                                          https://baldurgatez.com/KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2184570072.000001C315EC9000.00000004.00000020.00020000.00000000.sdmpfalse
                                            http://www.indyproject.org/JPl4ZLOvy3fY5RSXGk5s9Gl5.exe, 00000008.00000003.2351558121.0000000006365000.00000004.00000020.00020000.00000000.sdmpfalse
                                              https://meet.crazyfigs.top/style/060.exebKI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2136505238.000001C315F49000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2152191829.000001C315F49000.00000004.00000020.00020000.00000000.sdmpfalse
                                                https://yip.su/redirect-CasPol.exe, 00000003.00000002.3402975175.00000000034DC000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000002.3402975175.0000000003567000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  http://localhost:3001api/prefs/?product=$1&version=$2..T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000C.00000002.3392234781.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000E.00000000.1726890164.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000E.00000002.3399654118.000000006BA33000.00000002.00000001.01000000.0000001D.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000002.3407084581.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000001.1826449150.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000002.3322264502.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000001.2105606585.00000000000CA000.00000002.00000001.01000000.00000012.sdmpfalse
                                                    https://crashpad.chromium.org/https://crashpad.chromium.org/bug/newT2RIU3FpH6dczIGTG32vuvvE.exe, 0000000C.00000002.3392234781.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000E.00000000.1726890164.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000E.00000002.3399654118.000000006BA33000.00000002.00000001.01000000.0000001D.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000002.3407084581.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000001.1826449150.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000002.3322264502.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000001.2105606585.00000000000CA000.00000002.00000001.01000000.00000012.sdmpfalse
                                                      https://starsmm.org/om/525403/setup.exer-end-point:RKI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2164068721.000001C315F4A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        https://www.opera.com/download/T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000C.00000002.3392234781.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000E.00000000.1726890164.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000E.00000002.3399654118.000000006BA33000.00000002.00000001.01000000.0000001D.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000002.3407084581.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000001.1826449150.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000002.3322264502.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000001.2105606585.00000000000CA000.00000002.00000001.01000000.00000012.sdmpfalse
                                                          https://login.vk.com/?act=logout&hash=ff5c930db01817b629&_origin=https%3A%2F%2Fvk.com&lrt=BDpxh3TFcrKI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2250598835.000001C31606B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2214896326.000001C316025000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2201459715.000001C315E57000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216252408.000001C316025000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2198566834.000001C316079000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216951657.000001C316056000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219601594.000001C316025000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216252408.000001C316055000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C316001000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216913004.000001C31608C000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216951657.000001C31608B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2198566834.000001C316056000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2196034426.000001C316055000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2224912742.000001C316273000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216252408.000001C31608B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            https://meet.crazyfigs.top/:KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2229181999.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2218205829.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2123609804.000001C315EC3000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2181878238.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2181344004.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2240596988.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2215403785.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2198735771.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2174393508.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2179788596.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2182784722.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2179158263.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2220046203.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2184570072.000001C315EC9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              https://vk.comKI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2197888344.000001C315F71000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                https://www.instagram.comKI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2240596988.000001C315E8B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2229181999.000001C315EA2000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2220046203.000001C315E8B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2218205829.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2198735771.000001C315E6B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2220046203.000001C315EA2000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2229181999.000001C315E89000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2218205829.000001C315E89000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2197888344.000001C315F71000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  https://st6-22.vk.com/dist/web/common_web.4f7e5a9b.cssKI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2195830948.000001C316201000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C316001000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2196034426.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216913004.000001C31608C000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2224912742.000001C316273000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216252408.000001C31608B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    https://st6-22.vk.com/dist/web/chunks/palette.434ea2ce.jsKI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2195830948.000001C316201000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C316001000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2196034426.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216913004.000001C31608C000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2224912742.000001C316273000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216252408.000001C31608B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      http://www.avantbrowser.com)MOT-V9mm/JIsbjewlnghreiCB15kllzTk.exe, Yz2gr4IqEnTCH1g642bo4hrO.exefalse
                                                                        https://st6-22.vk.com/dist/web/docs.20074c02.cssKI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2195830948.000001C316201000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C316001000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2196034426.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216913004.000001C31608C000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2224912742.000001C316273000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216252408.000001C31608B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          https://st6-22.vk.com/dist/web/site_layout.f88780c8.jsKI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2195830948.000001C316201000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C316001000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2196034426.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216913004.000001C31608C000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2224912742.000001C316273000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216252408.000001C31608B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            https://cdn.discordapp.com/attachments/1088058556286251082/1111230812579450950/TsgVtmYNoFT.zipMozillJIsbjewlnghreiCB15kllzTk.exe, Yz2gr4IqEnTCH1g642bo4hrO.exefalse
                                                                              https://turnitin.com/robot/crawlerinfo.html)cannotJIsbjewlnghreiCB15kllzTk.exe, JIsbjewlnghreiCB15kllzTk.exe, 0000000A.00000002.3312022979.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Yz2gr4IqEnTCH1g642bo4hrO.exe, Yz2gr4IqEnTCH1g642bo4hrO.exe, 00000011.00000002.3312662666.0000000000400000.00000040.00000001.01000000.0000000F.sdmpfalse
                                                                                http://www.exabot.com/go/robot)Opera/9.80JIsbjewlnghreiCB15kllzTk.exe, Yz2gr4IqEnTCH1g642bo4hrO.exefalse
                                                                                  http://www.innosetup.comKI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2151788726.000001C316035000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameCasPol.exe, 00000003.00000002.3402975175.00000000034A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      https://starsmm.org:80/KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2123609804.000001C315EC3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        https://vk.com/doc5294803_668661395?hash=uQQoAVY7lWMuchlYkCFbK0P2SVazuAiimzHIh07ASrs&dl=WO5eZhu0JdqJKI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2179717574.000001C315E4A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          https://crashstats-collector.opera.com/collector/submitNEBT2RIU3FpH6dczIGTG32vuvvE.exe, 0000000E.00000002.3387261111.000000004E454000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                            https://gigachadfanclub.org/bfdb39976dca392638e6450f1175fa96/7725eaa6592c80f8124e769b4e8a07f7.exe4VKI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2174393508.000001C315E8B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              https://iplogger.org/privacy/CasPol.exe, 00000003.00000002.3402975175.00000000034DC000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000002.3402975175.0000000003567000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                https://crashpad.chromium.org/T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000C.00000002.3392234781.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000E.00000000.1726890164.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000E.00000002.3399654118.000000006BA33000.00000002.00000001.01000000.0000001D.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000002.3407084581.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000001.1826449150.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000002.3322264502.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000001.2105606585.00000000000CA000.00000002.00000001.01000000.00000012.sdmpfalse
                                                                                                  https://addons.opera.com/en/extensions/details/dify-cashback/syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000001.2105606585.00000000000CA000.00000002.00000001.01000000.00000012.sdmpfalse
                                                                                                    https://autoupdate.geo.opera.com/geolocation/T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000C.00000002.3392234781.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000E.00000000.1726890164.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000E.00000002.3399654118.000000006BA33000.00000002.00000001.01000000.0000001D.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000002.3407084581.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000001.1826449150.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000002.3322264502.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000001.2105606585.00000000000CA000.00000002.00000001.01000000.00000012.sdmpfalse
                                                                                                      http://www.google.com/bot.html)crypto/ecdh:JIsbjewlnghreiCB15kllzTk.exe, Yz2gr4IqEnTCH1g642bo4hrO.exefalse
                                                                                                        https://crashstats-collector.opera.com/collector/submitsyLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000002.3375978715.0000000001540000.00000004.00000020.00020000.00000000.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000002.3411019967.0000000026E24000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                          https://st6-22.vk.com/dist/web/page_layout.7b5800c2.jsKI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2195830948.000001C316201000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C316001000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2196034426.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216913004.000001C31608C000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2224912742.000001C316273000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216252408.000001C31608B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            https://st6-22.vk.com/dist/web/polyfills.isolated.edaffb7b.jsKI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2195830948.000001C316201000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C316001000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2196034426.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216913004.000001C31608C000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2224912742.000001C316273000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216252408.000001C31608B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              https://opera.com/privacyT2RIU3FpH6dczIGTG32vuvvE.exe, 0000000C.00000002.3392234781.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000E.00000000.1726890164.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000E.00000002.3399654118.000000006BA33000.00000002.00000001.01000000.0000001D.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000002.3407084581.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000001.1826449150.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000002.3322264502.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000001.2105606585.00000000000CA000.00000002.00000001.01000000.00000012.sdmpfalse
                                                                                                                http://www.spidersoft.com)JIsbjewlnghreiCB15kllzTk.exe, Yz2gr4IqEnTCH1g642bo4hrO.exefalse
                                                                                                                  https://sun6-21.userapi.com/c909328/u5294803/docs/d54/8868a626addc/files.bmp?extra=4Jh-lFC-FBDEqT-xOKI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2250448749.000001C315F71000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    https://vk.com/0u0uDuwKI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2174393508.000001C315E69000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      https://gamemaker.io)T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000C.00000002.3392234781.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000E.00000000.1726890164.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000002.3407084581.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000001.1826449150.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000002.3322264502.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000001.2105606585.00000000000CA000.00000002.00000001.01000000.00000012.sdmpfalse
                                                                                                                        http://autoupdate-staging.services.ams.osa/v4/v5/netinstaller///windows/x64v2/FetchingT2RIU3FpH6dczIGTG32vuvvE.exe, 0000000C.00000002.3392234781.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000E.00000000.1726890164.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000E.00000002.3399654118.000000006BA33000.00000002.00000001.01000000.0000001D.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000002.3407084581.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000001.1826449150.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000002.3322264502.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000001.2105606585.00000000000CA000.00000002.00000001.01000000.00000012.sdmpfalse
                                                                                                                          http://https://_bad_pdb_file.pdbJIsbjewlnghreiCB15kllzTk.exe, 0000000A.00000002.3312022979.0000000000ACD000.00000040.00000001.01000000.00000008.sdmp, Yz2gr4IqEnTCH1g642bo4hrO.exe, 00000011.00000002.3312662666.0000000000ACD000.00000040.00000001.01000000.0000000F.sdmp, Vh2fqCjm9jPtwuJrcfbbwxLj.exe, 00000018.00000002.3312827601.0000000000ACD000.00000040.00000001.01000000.00000015.sdmpfalse
                                                                                                                            https://triedchicken.net:80/cad54ba5b01423b1af8ec10ab5719d97.exeKI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2181344004.000001C315E69000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2181878238.000001C315E6A000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2215403785.000001C315E69000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2123609804.000001C315E6D000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2220046203.000001C315E69000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2182784722.000001C315E6C000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2184570072.000001C315E6B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2179788596.000001C315E6A000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2174393508.000001C315E69000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2198735771.000001C315E6B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2240596988.000001C315E6B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2241367516.000001C315E6D000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2218205829.000001C315E69000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2179158263.000001C315E69000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2229181999.000001C315E6D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              https://stats.vk-portal.netKI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2250598835.000001C31606B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2214896326.000001C316025000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2201459715.000001C315E57000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216252408.000001C316025000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2198566834.000001C316079000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216951657.000001C316056000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219601594.000001C316025000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216252408.000001C316055000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C316001000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216913004.000001C31608C000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216951657.000001C31608B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2198566834.000001C316056000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2196034426.000001C316055000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2224912742.000001C316273000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216252408.000001C31608B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                http://5.42.65.64/download.php?pub=inte-JKI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2229181999.000001C315EA2000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2182784722.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2241367516.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2198735771.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2181878238.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2215403785.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2218205829.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2123609804.000001C315EBB000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2184570072.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2179158263.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2220046203.000001C315EA2000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2179788596.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2174393508.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2181344004.000001C315EA4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                  https://st6-22.vk.com/dist/web/unauthorized.4bbc412d.jsKI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2195830948.000001C316201000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C316001000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2196034426.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216913004.000001C31608C000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2224912742.000001C316273000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216252408.000001C31608B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                    https://st6-22.vk.com/css/al/fonts_utf.7fa94ada.cssKI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2250598835.000001C31606B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2214896326.000001C316025000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2201459715.000001C315E57000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216252408.000001C316025000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2198566834.000001C316079000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216951657.000001C316056000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219601594.000001C316025000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216252408.000001C316055000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C316001000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216913004.000001C31608C000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216951657.000001C31608B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2198566834.000001C316056000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2196034426.000001C316055000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2224912742.000001C316273000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2218205829.000001C315E69000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216252408.000001C31608B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                      https://r.mradx.netKI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2197888344.000001C315F71000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                        http://www.google.com/feedfetcher.html)HKLMJIsbjewlnghreiCB15kllzTk.exe, JIsbjewlnghreiCB15kllzTk.exe, 0000000A.00000002.3312022979.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Yz2gr4IqEnTCH1g642bo4hrO.exe, Yz2gr4IqEnTCH1g642bo4hrO.exe, 00000011.00000002.3312662666.0000000000400000.00000040.00000001.01000000.0000000F.sdmpfalse
                                                                                                                                          https://baldurgatez.com/7725eaa6592c80f8124e769b4e8a07f7.exeUniverseKI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2162785597.000001C315F90000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                            https://ipinfo.io/namehttps://ipgeolocation.io/status3wiDjAuNAMEeKc2Sp8AJvkHN.exe, 00000012.00000002.1863098808.00007FF788E51000.00000002.00000001.01000000.00000010.sdmpfalse
                                                                                                                                              https://st6-22.vk.com/dist/web/unauthorized.20074c02.cssKI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2195830948.000001C316201000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C316001000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2196034426.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216913004.000001C31608C000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2224912742.000001C316273000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216252408.000001C31608B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                https://blockchain.infoindexYz2gr4IqEnTCH1g642bo4hrO.exe, 00000011.00000002.3312662666.0000000000400000.00000040.00000001.01000000.0000000F.sdmpfalse
                                                                                                                                                  https://gamemaker.io/en/get.T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000C.00000002.3392234781.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000E.00000000.1726890164.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000002.3407084581.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000001.1826449150.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000002.3322264502.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000001.2105606585.00000000000CA000.00000002.00000001.01000000.00000012.sdmpfalse
                                                                                                                                                    https://gamemaker.ioT2RIU3FpH6dczIGTG32vuvvE.exe, 0000000C.00000002.3392234781.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000E.00000000.1726890164.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000002.3407084581.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000001.1826449150.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000002.3322264502.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000001.2105606585.00000000000CA000.00000002.00000001.01000000.00000012.sdmpfalse
                                                                                                                                                      https://meet.crazyfigs.top/style/060.exezKI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2136505238.000001C315F49000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                        https://jonathantwo.comCasPol.exe, 00000003.00000002.3402975175.00000000034E0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                          https://st6-22.vk.com/dist/web/raven_logger.ea0a2239.jsKI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2195830948.000001C316201000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C316001000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2196034426.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216913004.000001C31608C000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2224912742.000001C316273000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216252408.000001C31608B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                            https://static.vk.meKI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2197888344.000001C315F71000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                              http://www.alexa.com/help/webmasters;JIsbjewlnghreiCB15kllzTk.exe, Yz2gr4IqEnTCH1g642bo4hrO.exefalse
                                                                                                                                                                https://st6-22.vk.com/dist/web/chunks/react.759f82b6.jsKI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2195830948.000001C316201000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C316001000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2196034426.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216913004.000001C31608C000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2224912742.000001C316273000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216252408.000001C31608B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                  https://starsmm.org:80/Extension__Installer.exeKI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2123609804.000001C315EC3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                    https://monoblocked.com/525403/setup.exe(KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2164068721.000001C315F4A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                      https://st6-22.vk.comKI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2250598835.000001C31606B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2214896326.000001C316025000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2201459715.000001C315E57000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216252408.000001C316025000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2198566834.000001C316079000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216951657.000001C316056000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219601594.000001C316025000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216252408.000001C316055000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C316001000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216913004.000001C31608C000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216951657.000001C31608B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2198566834.000001C316056000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2196034426.000001C316055000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2224912742.000001C316273000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216252408.000001C31608B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                        http://ocsp.sectigo.com0JPl4ZLOvy3fY5RSXGk5s9Gl5.exe, 00000008.00000003.2351558121.0000000006751000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                          https://crashpad.chromium.org/bug/newT2RIU3FpH6dczIGTG32vuvvE.exe, 0000000C.00000002.3392234781.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000E.00000000.1726890164.0000000000FDA000.00000002.00000001.01000000.0000000A.sdmp, T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000E.00000002.3399654118.000000006BA33000.00000002.00000001.01000000.0000001D.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000002.3407084581.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000013.00000001.1826449150.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000002.3322264502.00000000000CA000.00000002.00000001.01000000.00000012.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000001.2105606585.00000000000CA000.00000002.00000001.01000000.00000012.sdmpfalse
                                                                                                                                                                            https://iplogger.org/CasPol.exe, 00000003.00000002.3402975175.00000000034DC000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000002.3402975175.0000000003567000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                              http://google.comJPl4ZLOvy3fY5RSXGk5s9Gl5.exe, 00000008.00000003.2351558121.0000000006365000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                https://carthewasher.net/KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2181878238.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2181344004.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2174393508.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2179788596.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2182784722.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2179158263.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2184570072.000001C315EC9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                  https://monoblocked.com/KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2229181999.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2218205829.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2123609804.000001C315EC3000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2181878238.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2181344004.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2240596988.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2215403785.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2198735771.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2174393508.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2179788596.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2182784722.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2179158263.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2220046203.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2184570072.000001C315EC9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                    https://st6-22.vk.com/dist/web/performance_observers.4d12f60f.jsKI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2195830948.000001C316201000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C316001000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2196034426.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216913004.000001C31608C000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2224912742.000001C316273000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216252408.000001C31608B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                      https://cdn.ampproject.orgKI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2240596988.000001C315E8B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2229181999.000001C315EA2000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2220046203.000001C315E8B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2218205829.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2198735771.000001C315E6B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2220046203.000001C315EA2000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2229181999.000001C315E89000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2218205829.000001C315E89000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2197888344.000001C315F71000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                        http://185.172.128.59/ISetup2.exeCasPol.exe, 00000003.00000002.3402975175.00000000034A1000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000002.3402975175.00000000034E0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                          https://management.core.usgovcloudapi.netGODEBUGKI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2254455775.000001C31662F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                            https://st6-22.vk.com/css/al/vk_sans_display_faux.7d208ecb.cssKI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2195830948.000001C316201000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C316001000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2196034426.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216913004.000001C31608C000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2224912742.000001C316273000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216252408.000001C31608B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                              https://st6-22.vk.com/dist/web/likes.72a3dfff.jsKI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2195830948.000001C316201000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C316001000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2196034426.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216913004.000001C31608C000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2224912742.000001C316273000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216252408.000001C31608B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                https://monoblocked.com/525403/setup.exeKI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2164068721.000001C315F4A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                  https://crashstats-collector.opera.com/collector/submit0x298T2RIU3FpH6dczIGTG32vuvvE.exe, 0000000E.00000002.3379731294.000000004E424000.00000004.00001000.00020000.00000000.sdmp, syLcQZGPHHUJ3M0wbg0XxQZf.exe, 00000015.00000002.3411019967.0000000026E24000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    https://st6-22.vk.com/dist/web/chunks/vkui.bce4c996.jsKI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2195830948.000001C316201000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C316001000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2196034426.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216913004.000001C31608C000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2224912742.000001C316273000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216252408.000001C31608B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                      https://triedchicken.net/BKI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2229181999.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2218205829.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2123609804.000001C315EC3000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2181878238.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2181344004.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2240596988.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2215403785.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2198735771.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2174393508.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2179788596.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2182784722.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2179158263.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2220046203.000001C315EC9000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2184570072.000001C315EC9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                        https://st6-22.vk.com/dist/web/jobs_devtools_notification.14f96f02.jsKI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2195830948.000001C316201000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C316001000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2196034426.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216913004.000001C31608C000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2224912742.000001C316273000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216252408.000001C31608B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                          https://st6-22.vk.com/dist/web/chunks/audioplayer-lib.93b52d88.cssKI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2195830948.000001C316201000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C316001000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2196034426.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216913004.000001C31608C000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2224912742.000001C316273000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216252408.000001C31608B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                            http://svc.iolo.com/__svc/sbv/DownloadManager.ashxJPl4ZLOvy3fY5RSXGk5s9Gl5.exe, 00000008.00000003.2351558121.0000000006365000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                              https://st6-22.vk.com/dist/web/site_layout.20074c02.cssKI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2195830948.000001C316201000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C316001000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2196034426.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216913004.000001C31608C000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2224912742.000001C316273000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216252408.000001C31608B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                https://cdn.syndication.twimg.comKI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2240596988.000001C315E8B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2229181999.000001C315EA2000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2220046203.000001C315E8B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2218205829.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2198735771.000001C315E6B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2220046203.000001C315EA2000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2229181999.000001C315E89000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2218205829.000001C315E89000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2197888344.000001C315F71000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                  https://dev.vk.comKI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2197680891.000001C316094000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2195830948.000001C316201000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C316001000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2196034426.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2224912742.000001C316273000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                    https://vk.com/browser_reports?deKI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2229181999.000001C315EA2000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2241367516.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2215403785.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2218205829.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2220046203.000001C315EA2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                      https://st6-22.vk.com/dist/web/error_monitoring_classic.isolated.99143b54.jsKI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2195830948.000001C316201000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C316001000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2196034426.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216913004.000001C31608C000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2224912742.000001C316273000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216252408.000001C31608B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                        https://st6-22.vk.com/dist/web/grip.0b3b493f.jsKI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2195830948.000001C316201000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2219148573.000001C316001000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2196034426.000001C315FD6000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216913004.000001C31608C000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2224912742.000001C316273000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2216252408.000001C31608B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                          https://securepubads.g.doubleclick.netKI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2240596988.000001C315E8B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2229181999.000001C315EA2000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2220046203.000001C315E8B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2218205829.000001C315EA4000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2198735771.000001C315E6B000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2220046203.000001C315EA2000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2229181999.000001C315E89000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2218205829.000001C315E89000.00000004.00000020.00020000.00000000.sdmp, KI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2197888344.000001C315F71000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                            https://monoblocked.com/525403/setup.exepKI5P6OyhHMwNaNA4w0xtd3UY.exe, 0000000D.00000003.2164068721.000001C315F4A000.00000004.00000020.00020000.00000000.sdmpfalse

                                                                                                                                                                                                                              World Map of Contacted IPs

                                                                                                                                                                                                                              • No. of IPs < 25%
                                                                                                                                                                                                                              • 25% < No. of IPs < 50%
                                                                                                                                                                                                                              • 50% < No. of IPs < 75%
                                                                                                                                                                                                                              • 75% < No. of IPs

                                                                                                                                                                                                                              Public IPs

                                                                                                                                                                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                                              185.172.128.90
                                                                                                                                                                                                                              		unknownRussian Federation
                                                                                                                                                                                                                              		50916NADYMSS-ASRUfalse
                                                                                                                                                                                                                              34.117.186.192
                                                                                                                                                                                                                              		unknownUnited States
                                                                                                                                                                                                                              		139070GOOGLE-AS-APGoogleAsiaPacificPteLtdSGfalse
                                                                                                                                                                                                                              85.192.56.26
                                                                                                                                                                                                                              		unknownRussian Federation
                                                                                                                                                                                                                              		12695DINET-ASRUfalse
                                                                                                                                                                                                                              37.221.125.202
                                                                                                                                                                                                                              		unknownLithuania
                                                                                                                                                                                                                              		62416PTSERVIDORPTfalse
                                                                                                                                                                                                                              193.233.132.175
                                                                                                                                                                                                                              		unknownRussian Federation
                                                                                                                                                                                                                              		2895FREE-NET-ASFREEnetEUfalse
                                                                                                                                                                                                                              176.97.76.106
                                                                                                                                                                                                                              		unknownUnited Kingdom
                                                                                                                                                                                                                              		43658INTRAFFIC-ASUAfalse
                                                                                                                                                                                                                              37.228.108.133
                                                                                                                                                                                                                              		unknownNorway
                                                                                                                                                                                                                              		39832NO-OPERANOfalse
                                                                                                                                                                                                                              37.228.108.132
                                                                                                                                                                                                                              		unknownNorway
                                                                                                                                                                                                                              		39832NO-OPERANOfalse
                                                                                                                                                                                                                              185.172.128.59
                                                                                                                                                                                                                              		unknownRussian Federation
                                                                                                                                                                                                                              		50916NADYMSS-ASRUfalse
                                                                                                                                                                                                                              172.67.161.113
                                                                                                                                                                                                                              		unknownUnited States
                                                                                                                                                                                                                              		13335CLOUDFLARENETUSfalse
                                                                                                                                                                                                                              185.66.90.243
                                                                                                                                                                                                                              		unknownUkraine
                                                                                                                                                                                                                              		41820NOVI-ASUAfalse
                                                                                                                                                                                                                              172.67.132.113
                                                                                                                                                                                                                              		unknownUnited States
                                                                                                                                                                                                                              		13335CLOUDFLARENETUSfalse
                                                                                                                                                                                                                              172.67.169.146
                                                                                                                                                                                                                              		unknownUnited States
                                                                                                                                                                                                                              		13335CLOUDFLARENETUSfalse
                                                                                                                                                                                                                              104.21.79.77
                                                                                                                                                                                                                              		unknownUnited States
                                                                                                                                                                                                                              		13335CLOUDFLARENETUSfalse
                                                                                                                                                                                                                              104.21.31.124
                                                                                                                                                                                                                              		unknownUnited States
                                                                                                                                                                                                                              		13335CLOUDFLARENETUSfalse
                                                                                                                                                                                                                              95.142.206.2
                                                                                                                                                                                                                              		unknownRussian Federation
                                                                                                                                                                                                                              		47541VKONTAKTE-SPB-AShttpvkcomRUfalse
                                                                                                                                                                                                                              95.142.206.1
                                                                                                                                                                                                                              		unknownRussian Federation
                                                                                                                                                                                                                              		47541VKONTAKTE-SPB-AShttpvkcomRUfalse
                                                                                                                                                                                                                              104.21.63.150
                                                                                                                                                                                                                              		unknownUnited States
                                                                                                                                                                                                                              		13335CLOUDFLARENETUSfalse
                                                                                                                                                                                                                              104.21.90.14
                                                                                                                                                                                                                              		unknownUnited States
                                                                                                                                                                                                                              		13335CLOUDFLARENETUSfalse
                                                                                                                                                                                                                              104.21.37.250
                                                                                                                                                                                                                              		unknownUnited States
                                                                                                                                                                                                                              		13335CLOUDFLARENETUSfalse
                                                                                                                                                                                                                              172.67.207.236
                                                                                                                                                                                                                              		unknownUnited States
                                                                                                                                                                                                                              		13335CLOUDFLARENETUSfalse
                                                                                                                                                                                                                              172.67.169.89
                                                                                                                                                                                                                              		unknownUnited States
                                                                                                                                                                                                                              		13335CLOUDFLARENETUSfalse
                                                                                                                                                                                                                              185.172.128.228
                                                                                                                                                                                                                              		unknownRussian Federation
                                                                                                                                                                                                                              		50916NADYMSS-ASRUfalse
                                                                                                                                                                                                                              172.67.176.131
                                                                                                                                                                                                                              		unknownUnited States
                                                                                                                                                                                                                              		13335CLOUDFLARENETUSfalse
                                                                                                                                                                                                                              185.172.128.203
                                                                                                                                                                                                                              		unknownRussian Federation
                                                                                                                                                                                                                              		50916NADYMSS-ASRUfalse
                                                                                                                                                                                                                              104.21.5.28
                                                                                                                                                                                                                              		unknownUnited States
                                                                                                                                                                                                                              		13335CLOUDFLARENETUSfalse
                                                                                                                                                                                                                              172.67.75.163
                                                                                                                                                                                                                              		unknownUnited States
                                                                                                                                                                                                                              		13335CLOUDFLARENETUSfalse
                                                                                                                                                                                                                              93.186.225.194
                                                                                                                                                                                                                              		unknownRussian Federation
                                                                                                                                                                                                                              		47541VKONTAKTE-SPB-AShttpvkcomRUfalse
                                                                                                                                                                                                                              20.189.173.21
                                                                                                                                                                                                                              		unknownUnited States
                                                                                                                                                                                                                              		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                                                                                                                                                                                              5.42.66.10
                                                                                                                                                                                                                              		unknownRussian Federation
                                                                                                                                                                                                                              		39493RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRUfalse
                                                                                                                                                                                                                              5.42.65.64
                                                                                                                                                                                                                              		unknownRussian Federation
                                                                                                                                                                                                                              		39493RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRUfalse
                                                                                                                                                                                                                              172.67.19.24
                                                                                                                                                                                                                              		unknownUnited States
                                                                                                                                                                                                                              		13335CLOUDFLARENETUSfalse
                                                                                                                                                                                                                              179.33.180.97
                                                                                                                                                                                                                              		unknownColombia
                                                                                                                                                                                                                              		3816COLOMBIATELECOMUNICACIONESSAESPCOfalse
                                                                                                                                                                                                                              107.167.110.218
                                                                                                                                                                                                                              		unknownUnited States
                                                                                                                                                                                                                              		21837OPERASOFTWAREUSfalse
                                                                                                                                                                                                                              104.21.91.214
                                                                                                                                                                                                                              		unknownUnited States
                                                                                                                                                                                                                              		13335CLOUDFLARENETUSfalse
                                                                                                                                                                                                                              107.167.110.216
                                                                                                                                                                                                                              		unknownUnited States
                                                                                                                                                                                                                              		21837OPERASOFTWAREUSfalse
                                                                                                                                                                                                                              5.42.64.17
                                                                                                                                                                                                                              		unknownRussian Federation
                                                                                                                                                                                                                              		39493RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRUfalse
                                                                                                                                                                                                                              107.167.110.211
                                                                                                                                                                                                                              		unknownUnited States
                                                                                                                                                                                                                              		21837OPERASOFTWAREUSfalse
                                                                                                                                                                                                                              23.53.13.176
                                                                                                                                                                                                                              		unknownUnited States
                                                                                                                                                                                                                              		20940AKAMAI-ASN1EUfalse
                                                                                                                                                                                                                              45.130.41.108
                                                                                                                                                                                                                              		unknownRussian Federation
                                                                                                                                                                                                                              		198610BEGET-ASRUfalse
                                                                                                                                                                                                                              107.167.125.189
                                                                                                                                                                                                                              		unknownUnited States
                                                                                                                                                                                                                              		21837OPERASOFTWAREUSfalse

                                                                                                                                                                                                                              General Information

                                                                                                                                                                                                                              Joe Sandbox version:40.0.0 Tourmaline
                                                                                                                                                                                                                              Analysis ID:1427735
                                                                                                                                                                                                                              Start date and time:2024-04-18 02:35:07 +02:00
                                                                                                                                                                                                                              Joe Sandbox product:CloudBasic
                                                                                                                                                                                                                              Overall analysis duration:0h 16m 4s
                                                                                                                                                                                                                              Hypervisor based Inspection enabled:false
                                                                                                                                                                                                                              Report type:full
                                                                                                                                                                                                                              Cookbook file name:default.jbs
                                                                                                                                                                                                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                                              Number of analysed new started processes analysed:47
                                                                                                                                                                                                                              Number of new started drivers analysed:0
                                                                                                                                                                                                                              Number of existing processes analysed:0
                                                                                                                                                                                                                              Number of existing drivers analysed:0
                                                                                                                                                                                                                              Number of injected processes analysed:0
                                                                                                                                                                                                                              Technologies:
                                                                                                                                                                                                                              • HCA enabled
                                                                                                                                                                                                                              • EGA enabled
                                                                                                                                                                                                                              • AMSI enabled
                                                                                                                                                                                                                              Analysis Mode:default
                                                                                                                                                                                                                              Analysis stop reason:Timeout
                                                                                                                                                                                                                              Sample name:SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exe
                                                                                                                                                                                                                              Detection:MAL
                                                                                                                                                                                                                              Classification:mal100.troj.spyw.expl.evad.winEXE@132/280@0/41
                                                                                                                                                                                                                              EGA Information:
                                                                                                                                                                                                                              • Successful, ratio: 45.5%
                                                                                                                                                                                                                              HCA Information:
                                                                                                                                                                                                                              • Successful, ratio: 68%
                                                                                                                                                                                                                              • Number of executed functions: 117
                                                                                                                                                                                                                              • Number of non-executed functions: 275
                                                                                                                                                                                                                              Cookbook Comments:
                                                                                                                                                                                                                              • Found application associated with file extension: .exe

                                                                                                                                                                                                                              Warnings

                                                                                                                                                                                                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, Conhost.exe, SIHClient.exe, conhost.exe
                                                                                                                                                                                                                              • Execution Graph export aborted for target CasPol.exe, PID 7520 because it is empty
                                                                                                                                                                                                                              • Execution Graph export aborted for target JIsbjewlnghreiCB15kllzTk.exe, PID 7992 because there are no executed function
                                                                                                                                                                                                                              • Execution Graph export aborted for target QHuPF3k4no0JL9DdGqDYtkCG.exe, PID 6480 because there are no executed function
                                                                                                                                                                                                                              • Execution Graph export aborted for target T2RIU3FpH6dczIGTG32vuvvE.exe, PID 8100 because there are no executed function
                                                                                                                                                                                                                              • Execution Graph export aborted for target syLcQZGPHHUJ3M0wbg0XxQZf.exe, PID 5496 because there are no executed function
                                                                                                                                                                                                                              • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                                              • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                                                                                                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                                                                              • Report size getting too big, too many NtCreateKey calls found.
                                                                                                                                                                                                                              • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                                                                                                                                                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                                                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                                                              • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                                                                                                                                              • Report size getting too big, too many NtSetInformationFile calls found.
                                                                                                                                                                                                                              • Skipping network analysis since amount of network traffic is too extensive

                                                                                                                                                                                                                              Simulations

                                                                                                                                                                                                                              Behavior and APIs

                                                                                                                                                                                                                              TimeTypeDescription
                                                                                                                                                                                                                              01:36:02AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5me5kJjaX6nSu3LrmZClhT87.bat
                                                                                                                                                                                                                              01:36:19AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\boo8FP0AhS3bBXLUBRbBJy9i.bat
                                                                                                                                                                                                                              01:36:44AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DJgk52sDeczUV1lmMmKix3k6.bat
                                                                                                                                                                                                                              01:37:34Task SchedulerRun new task: bWycNackLSywaqkmgR path: C:\Users\user\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\lIVrBSt.exe s>em /uIsite_idPNF 385118 /S
                                                                                                                                                                                                                              01:37:34AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VgsxHcqWGMZuJZrJUV5SLHQ3.bat
                                                                                                                                                                                                                              01:38:31AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WHd1pNJmpFoM8sqoNNUE4tf3.bat
                                                                                                                                                                                                                              01:38:34Task SchedulerRun new task: ImArchive path: C:\Users\user\AppData\Roaming\NBLwriter_test\TrueBurner.exe
                                                                                                                                                                                                                              01:38:34Task SchedulerRun new task: Mondemo_v5 path: C:\Users\user\AppData\Roaming\NBLwriter_test\TrueBurner.exe
                                                                                                                                                                                                                              01:39:02Task SchedulerRun new task: gTvwhQMzP path: powershell s>-WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
                                                                                                                                                                                                                              01:39:10AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Y3oAYVErrIRWXBbeGz7YmX13.bat
                                                                                                                                                                                                                              01:39:24Task SchedulerRun new task: BAnwxolbGpCzXNxkj path: C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\FbhVkaQ.exe s>XT /aesite_idfYr 385118 /S
                                                                                                                                                                                                                              02:35:57API Interceptor188x Sleep call for process: CasPol.exe modified
                                                                                                                                                                                                                              02:35:57API Interceptor35x Sleep call for process: powershell.exe modified
                                                                                                                                                                                                                              02:36:12API Interceptor1x Sleep call for process: WerFault.exe modified
                                                                                                                                                                                                                              02:37:16API Interceptor17x Sleep call for process: KI5P6OyhHMwNaNA4w0xtd3UY.exe modified
                                                                                                                                                                                                                              02:37:48API Interceptor1x Sleep call for process: 7ifrWkUACu1QmnINWqs0eu9h.exe modified
                                                                                                                                                                                                                              02:38:10API Interceptor1x Sleep call for process: JIsbjewlnghreiCB15kllzTk.exe modified

                                                                                                                                                                                                                              Joe Sandbox View / Context

                                                                                                                                                                                                                              IPs

                                                                                                                                                                                                                              No context

                                                                                                                                                                                                                              Domains

                                                                                                                                                                                                                              No context

                                                                                                                                                                                                                              ASNs

                                                                                                                                                                                                                              No context

                                                                                                                                                                                                                              JA3 Fingerprints

                                                                                                                                                                                                                              No context

                                                                                                                                                                                                                              Dropped Files

                                                                                                                                                                                                                              No context

                                                                                                                                                                                                                              Created / dropped Files

                                                                                                                                                                                                                              C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_72840a9326b146c8f797fe2c317b7fd81655ef_07b00b77_725b6b51-d5b5-4457-94a8-6a7675320663\Report.wer

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                                                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):65536
                                                                                                                                                                                                                              Entropy (8bit):1.1971148951905926
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:192:7Bj7/Wz50UnUVaWB2ASmQOAdzuiFEZ24lO8/Q:57/WOUnUVam2AZwzuiFEY4lO84
                                                                                                                                                                                                                              MD5:B0A1F337D719D0B1EF81062DA79C22AC
                                                                                                                                                                                                                              SHA1:254FE75E4FB216570E5AB18061F144B63F78196E
                                                                                                                                                                                                                              SHA-256:8B8CABE55F274AA3ACBB43E02194CBE23C981B3FA6A8D8C5EC0E0D9B3E2B9458
                                                                                                                                                                                                                              SHA-512:2CB6426FDBB457DBE3019169234D1F302772E05E94ECC84CD62E36175EAD088A6CFC78AD3FBAF0AB4CEA671F7B06D58396DBBD76754B354D4BB8EF9C45E12113
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.7.8.7.4.1.5.6.7.2.9.4.6.6.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.7.8.7.4.1.5.7.5.2.6.3.3.3.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.2.5.b.6.b.5.1.-.d.5.b.5.-.4.4.5.7.-.9.4.a.8.-.6.a.7.6.7.5.3.2.0.6.6.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.9.9.1.6.3.3.c.-.8.5.8.0.-.4.d.3.1.-.b.5.4.6.-.9.c.6.2.a.6.7.3.e.3.e.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...W.i.n.6.4...C.r.y.p.t.e.r.X.-.g.e.n...2.1.4.4...2.6.0.2.3...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.U.b.a.z.a.f.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.f.4.-.0.0.0.1.-.0.0.1.4.-.a.7.7.8.-.5.b.5.f.2.8.9.1.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.0.0.0.5.8.0.8.6.5.7.1.d.b.a.3.2.1.3.d.2.5.0.1.d.2.f.c.f.3.8.3.0.0.0.0.0.0.0.0.!.0.0.0.0.0.e.b.6.8.2.7.8.7.8.4.4.5.d.3.e.3.e.5.8.

                                                                                                                                                                                                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER12CF.tmp.txt

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):13340
                                                                                                                                                                                                                              Entropy (8bit):2.7044387016978777
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:96:TiZYWF+CG4YGYFb2HWYEZSV7tEii4HlnLwDyWvPYtua1LKMPbZIR6D:2ZDxhNqVv4ua1LKMPbGR6D
                                                                                                                                                                                                                              MD5:BF830E6179C17B784BC50DCEF9EFF1B2
                                                                                                                                                                                                                              SHA1:3DE44FAB32E336ACC0E7F3BC56A5CA87927E257B
                                                                                                                                                                                                                              SHA-256:D6D6AFA275AD8BA5477B5DB77503E99B51B2E31E0E927A307F7376A61ABFF795
                                                                                                                                                                                                                              SHA-512:C0A65868C0CAE392D3B92A858164478AD96BD91BB1E63CFD4603EF835E5910743F4C9893E75F18DD9A28749984C86F808A5A8F2E9F647E3E82935BFD41FDAF76
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.3.3.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

                                                                                                                                                                                                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER1F25.tmp.csv

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):120190
                                                                                                                                                                                                                              Entropy (8bit):3.1169973534153943
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3072:++TIedZ67afygI8z3A1fXqlENSipBpFhmaxF2Y7bRReHBZpdpDdtPW6DvwNGpX:l
                                                                                                                                                                                                                              MD5:9F50FF9985C26C6C832E53F7D54F75DD
                                                                                                                                                                                                                              SHA1:4CEBB67F2207FADEF07541D079D5CC09DD274234
                                                                                                                                                                                                                              SHA-256:8B81DDCFA535CD124B9B47D5DE77738992B62EB274C209FDAC081425A8784DEC
                                                                                                                                                                                                                              SHA-512:D8E8668CC1B53A5BEAAE17D67E86BC96E5BAF847D31854C998801266D1F6F6AABB293B48170BD7F03F64CB599D68FE9FB1A394F420EB559565FD84BBA87643A8
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

                                                                                                                                                                                                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER41B2.tmp.txt

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):13340
                                                                                                                                                                                                                              Entropy (8bit):2.699942670375442
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:96:TiZYWwxBf9XCXYZYLTQCHyYEZXYtEir4C04wtJyYSKUaqcLpMXbGIJ6c:2ZDcBWe1FkaxLpMXbBJ6c
                                                                                                                                                                                                                              MD5:A04C946F05FF442FD135D8DBB03CFD73
                                                                                                                                                                                                                              SHA1:7D7D834CA8B00FE216E5A85E79A6FC540DA0E6F5
                                                                                                                                                                                                                              SHA-256:4C77A5899CA53D12E461476001357CEA2EB40A9930BA925D20110D87DBA2C94B
                                                                                                                                                                                                                              SHA-512:C079B3A90777AFD26A4B689F6D533428D64A56E352A686CF4507C68B63E6479E413A68A3485A8D0F525B3E4DFDAFE1C460819DC1F97816CDCE61BE2A84319084
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.3.3.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

                                                                                                                                                                                                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WERD34A.tmp.dmp

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                                                              File Type:Mini DuMP crash report, 16 streams, Thu Apr 18 00:35:57 2024, 0x1205a4 type
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):513274
                                                                                                                                                                                                                              Entropy (8bit):3.2285922156468136
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3072:nPA4dyZnfKZbI74J+pcSV8N01CCqEF06PGX3g6R3+vnL79jvOSxa:nY4dy5ZZlqNJQ6R3Q3Xa
                                                                                                                                                                                                                              MD5:2F5952AF398883E97CFA3D5F1146FE89
                                                                                                                                                                                                                              SHA1:F9E9F242F72FF94E8D05CC36D1E00F858580C443
                                                                                                                                                                                                                              SHA-256:B8E1B3D60599C944E663D08386A68C899CC37D72AFD0201ECE03A69999C31D94
                                                                                                                                                                                                                              SHA-512:A118C4D1FC52C9BB8CD5E5C6501FB4CAF005BE315C55791E5DF04C40B011533F14AB7ED43B556C684F9641A2EE0AF6D19738AE33B8F96F5C219A07C4AF32743C
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MDMP..a..... ........j f....................................$....%......t....%.......P..............l.......8...........T............9..B...........hD..........TF..............................................................................eJ.......F......Lw......................T............j f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WERD530.tmp.WERInternalMetadata.xml

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                                                              File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):8754
                                                                                                                                                                                                                              Entropy (8bit):3.710779808502541
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:192:R6l7wVeJMH66Y9EnyJgmfD6JVprp89b3VbfX9m:R6lXJ066YunEgmfDiO3JfQ
                                                                                                                                                                                                                              MD5:3F19B1EC70A4EFD713D8FF89F8F20E10
                                                                                                                                                                                                                              SHA1:AB89996A42EA07D6CDC91215FE0EB479503A9DBB
                                                                                                                                                                                                                              SHA-256:748971A7C95616C06F6CC83BC3B41C7DE46BD7BA1061BA2C778621B78AC9FCC9
                                                                                                                                                                                                                              SHA-512:F018BA328D058C56F10C47D35CA516AE7BF172FB364E6854E037991120EE347F0ECAD5731C885D48D886EBA7DCD2F10F3A14DE81E77CD5F5687C4E22054DBD10
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.4.1.2.<./.P.i.

                                                                                                                                                                                                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WERD58E.tmp.xml

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):4943
                                                                                                                                                                                                                              Entropy (8bit):4.588188452084952
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:48:cvIwWl8zsvJg771I9GpWpW8VYxYm8M4J58dAFEyq85dYGuBOU+hUud:uIjfRI7tY7VpJcouB7zud
                                                                                                                                                                                                                              MD5:C75322B23837912243838BFCD1E74497
                                                                                                                                                                                                                              SHA1:D0C9C9563A87DAE6F8B89ADB0747D20DA8582F85
                                                                                                                                                                                                                              SHA-256:1E508F99C2C56DFA5319D3DBD2BCFF754F24783BE2CFF0AEAE538EC81026361D
                                                                                                                                                                                                                              SHA-512:192B140BBE31129C30928CC581E79F1040C68423B3C2DF652F5BAB5CC8119100F81139F3FDBE5324A36CCF4D69AB755D8518FDB9F9A905375247670F5B81C0FB
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="284618" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                                                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WERD5AC.tmp.csv

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):90244
                                                                                                                                                                                                                              Entropy (8bit):3.1192825812958773
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:1536:86xf0CIxxb8XfYSbO/mC0ifSwQtMm5yxZMy3UGH:86xf0CIxxb8XfYSbO/mC0ifSwQtMm5q1
                                                                                                                                                                                                                              MD5:59AF6233BE521B6DB990365C84C679B5
                                                                                                                                                                                                                              SHA1:8444685DA3636D9626099E315BCD695F39DD2C09
                                                                                                                                                                                                                              SHA-256:809A5A2093A90602498FDDD4201225991DF5D50000739F8A35BE227943F51CC2
                                                                                                                                                                                                                              SHA-512:E4798C869ECBA34D484ABCB4078847DADBDA8C7B5AE81E24DF717A6A9A0F12D3A65083277110589EDA263A5F8E1EF28120F67E619398B1A2062784BEFA8AF98D
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

                                                                                                                                                                                                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WERD61A.tmp.txt

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):13340
                                                                                                                                                                                                                              Entropy (8bit):2.684170560943136
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:96:TiZYWvp0uZ5yYDYLWCHAYEZq9tBiZ4q0KwM4CaOcLZMFkcIz63:2ZDTS0YGvaVLZMFkbz63
                                                                                                                                                                                                                              MD5:E213244DD0D0DC35E082A963CEBCDDCC
                                                                                                                                                                                                                              SHA1:F71F65F2148375354D35385D7944E80EBC95209D
                                                                                                                                                                                                                              SHA-256:D3AE15B98F792548C294370338EF3F423D1486EAC17473655D20E519AB27CE9F
                                                                                                                                                                                                                              SHA-512:2027A9E37D02D6BFA750FB02FAD750A376D8AF57BAB5B284EFF5B78EAE3B1A64A291C87F6F72871E4A0C74CC380F5406131632624863EE4BB5C8BF157D07186A
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.3.3.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

                                                                                                                                                                                                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WERF479.tmp.csv

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):129264
                                                                                                                                                                                                                              Entropy (8bit):3.1072467096356253
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3072:y3fqc/dI4PrF4MWvpQeM00LuP+PVXW6zVntysTP947UV8hCjpZCQJOxQQ55Vij:s
                                                                                                                                                                                                                              MD5:EF1692FC004951E868382CD9A8271C40
                                                                                                                                                                                                                              SHA1:123885DFAD3B35763DD8AF77C207A4F507FC47D0
                                                                                                                                                                                                                              SHA-256:3CE91E92E951AFFF4621E9DB20A361AE0C7E1204923CDA370D7554CA5498D114
                                                                                                                                                                                                                              SHA-512:DA06CA971929FF7A9F3210AD18FC62B71A35C3CA729ACE9099FBCFD4E9F2E5AEA0672AFDB8B7FDD530C0491F5D65B39823D81D93B180C6B1D851794DDF0829F4
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\1sULHHpeqbgWxmRBkrwHQ2Wq.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):4396408
                                                                                                                                                                                                                              Entropy (8bit):7.971773908633874
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:98304:KkZ2HRjDxUqNRSWw/fdG0ya8lhbNKCN+OMuHRmn++CozeYuDm:LZ2x3CqNcHdGTLNp+F+8elDm
                                                                                                                                                                                                                              MD5:281F44C8C6F0CFBC293E1FDB8B3EE782
                                                                                                                                                                                                                              SHA1:CB1ABAA337D77C1B8AE1502AE0C8B47027EE7FA7
                                                                                                                                                                                                                              SHA-256:72A115F25006EEF0B5762B7EF5E8644D13EB1A42A8D0FBAEEFAB1E07F7B34C64
                                                                                                                                                                                                                              SHA-512:CBA42B82A2D84872ABB45975852DB340E8DEAF3F9D965191B0E73B8186D1D2A42C7DD4F74EA1C740E9D0F363285D2E637AB71E51D8AD0EDF6FE7A993B53C8FC4
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                              • Antivirus: Virustotal, Detection: 43%, Browse
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L....}.e.....................L.......g............@.................................K.C.....................................t(..d.......p.............C.x........... ...8........................... ...@............................................text.............................. ..`.rdata.............................@..@.data...H....@....?..&..............@....rsrc...p.............B.............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\31Q0tfhZ3ZbBeSnpH53Q6cmR.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):5388160
                                                                                                                                                                                                                              Entropy (8bit):6.884127347307364
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:98304:z0NFR6666666666666666666666666666666x666666666666666fwwwwwwwwww1:IPMki6zio75L3pf3dedO4keCIwkoYbgV
                                                                                                                                                                                                                              MD5:FAA5E9B03992A4E6148B799082100602
                                                                                                                                                                                                                              SHA1:6A7F81280293B1EE54DFA9E4CDB187DE441A4897
                                                                                                                                                                                                                              SHA-256:55067872C8F4490FBD427FBF6209B43E0F22A59AAF2A60F7733E2B1E51AFACB7
                                                                                                                                                                                                                              SHA-512:E1671D70469A13216A4EAF36A3752B537A66515A67FFA5CAA4CCBB966F54F1227FAD52115C32C26400CC4C4FC0DDAB47802DA463FA8E70BF1C1BB3B99CB6EE1D
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...zL.f.........."......Z....M.....|*............@..........................`R......\R...@.....................................P........{L...........R..+... R..7..`...............................8q...............................................text....X.......Z.................. ..`.rdata.......p.......^..............@..@.data....4...P.......8..............@....tls.................V..............@....rsrc....{L......|L..X..............@..@.reloc...7... R..8....Q.............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\4eN6JMBulbZWTUqm8bHwZ2Cg.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):4396408
                                                                                                                                                                                                                              Entropy (8bit):7.971773908633874
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:98304:KkZ2HRjDxUqNRSWw/fdG0ya8lhbNKCN+OMuHRmn++CozeYuDm:LZ2x3CqNcHdGTLNp+F+8elDm
                                                                                                                                                                                                                              MD5:281F44C8C6F0CFBC293E1FDB8B3EE782
                                                                                                                                                                                                                              SHA1:CB1ABAA337D77C1B8AE1502AE0C8B47027EE7FA7
                                                                                                                                                                                                                              SHA-256:72A115F25006EEF0B5762B7EF5E8644D13EB1A42A8D0FBAEEFAB1E07F7B34C64
                                                                                                                                                                                                                              SHA-512:CBA42B82A2D84872ABB45975852DB340E8DEAF3F9D965191B0E73B8186D1D2A42C7DD4F74EA1C740E9D0F363285D2E637AB71E51D8AD0EDF6FE7A993B53C8FC4
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                              • Antivirus: Virustotal, Detection: 43%, Browse
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L....}.e.....................L.......g............@.................................K.C.....................................t(..d.......p.............C.x........... ...8........................... ...@............................................text.............................. ..`.rdata.............................@..@.data...H....@....?..&..............@....rsrc...p.............B.............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\5CSwXytovRGWzicTtxKeyiOA.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):4396408
                                                                                                                                                                                                                              Entropy (8bit):7.971773908633874
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:98304:KkZ2HRjDxUqNRSWw/fdG0ya8lhbNKCN+OMuHRmn++CozeYuDm:LZ2x3CqNcHdGTLNp+F+8elDm
                                                                                                                                                                                                                              MD5:281F44C8C6F0CFBC293E1FDB8B3EE782
                                                                                                                                                                                                                              SHA1:CB1ABAA337D77C1B8AE1502AE0C8B47027EE7FA7
                                                                                                                                                                                                                              SHA-256:72A115F25006EEF0B5762B7EF5E8644D13EB1A42A8D0FBAEEFAB1E07F7B34C64
                                                                                                                                                                                                                              SHA-512:CBA42B82A2D84872ABB45975852DB340E8DEAF3F9D965191B0E73B8186D1D2A42C7DD4F74EA1C740E9D0F363285D2E637AB71E51D8AD0EDF6FE7A993B53C8FC4
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                              • Antivirus: Virustotal, Detection: 43%, Browse
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L....}.e.....................L.......g............@.................................K.C.....................................t(..d.......p.............C.x........... ...8........................... ...@............................................text.............................. ..`.rdata.............................@..@.data...H....@....?..&..............@....rsrc...p.............B.............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\7GonYrcCQJRZWxpQLYX649aX.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):4396408
                                                                                                                                                                                                                              Entropy (8bit):7.971773908633874
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:98304:KkZ2HRjDxUqNRSWw/fdG0ya8lhbNKCN+OMuHRmn++CozeYuDm:LZ2x3CqNcHdGTLNp+F+8elDm
                                                                                                                                                                                                                              MD5:281F44C8C6F0CFBC293E1FDB8B3EE782
                                                                                                                                                                                                                              SHA1:CB1ABAA337D77C1B8AE1502AE0C8B47027EE7FA7
                                                                                                                                                                                                                              SHA-256:72A115F25006EEF0B5762B7EF5E8644D13EB1A42A8D0FBAEEFAB1E07F7B34C64
                                                                                                                                                                                                                              SHA-512:CBA42B82A2D84872ABB45975852DB340E8DEAF3F9D965191B0E73B8186D1D2A42C7DD4F74EA1C740E9D0F363285D2E637AB71E51D8AD0EDF6FE7A993B53C8FC4
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                              • Antivirus: Virustotal, Detection: 43%, Browse
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L....}.e.....................L.......g............@.................................K.C.....................................t(..d.......p.............C.x........... ...8........................... ...@............................................text.............................. ..`.rdata.............................@..@.data...H....@....?..&..............@....rsrc...p.............B.............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\7cokQoA6j0WDpV84Xp72tQca.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):4396408
                                                                                                                                                                                                                              Entropy (8bit):7.971773908633874
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:98304:KkZ2HRjDxUqNRSWw/fdG0ya8lhbNKCN+OMuHRmn++CozeYuDm:LZ2x3CqNcHdGTLNp+F+8elDm
                                                                                                                                                                                                                              MD5:281F44C8C6F0CFBC293E1FDB8B3EE782
                                                                                                                                                                                                                              SHA1:CB1ABAA337D77C1B8AE1502AE0C8B47027EE7FA7
                                                                                                                                                                                                                              SHA-256:72A115F25006EEF0B5762B7EF5E8644D13EB1A42A8D0FBAEEFAB1E07F7B34C64
                                                                                                                                                                                                                              SHA-512:CBA42B82A2D84872ABB45975852DB340E8DEAF3F9D965191B0E73B8186D1D2A42C7DD4F74EA1C740E9D0F363285D2E637AB71E51D8AD0EDF6FE7A993B53C8FC4
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                              • Antivirus: Virustotal, Detection: 43%, Browse
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L....}.e.....................L.......g............@.................................K.C.....................................t(..d.......p.............C.x........... ...8........................... ...@............................................text.............................. ..`.rdata.............................@..@.data...H....@....?..&..............@....rsrc...p.............B.............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\A6zIGniAZ7NEfPoGNA99xdJC.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):4396408
                                                                                                                                                                                                                              Entropy (8bit):7.971773908633874
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:98304:KkZ2HRjDxUqNRSWw/fdG0ya8lhbNKCN+OMuHRmn++CozeYuDm:LZ2x3CqNcHdGTLNp+F+8elDm
                                                                                                                                                                                                                              MD5:281F44C8C6F0CFBC293E1FDB8B3EE782
                                                                                                                                                                                                                              SHA1:CB1ABAA337D77C1B8AE1502AE0C8B47027EE7FA7
                                                                                                                                                                                                                              SHA-256:72A115F25006EEF0B5762B7EF5E8644D13EB1A42A8D0FBAEEFAB1E07F7B34C64
                                                                                                                                                                                                                              SHA-512:CBA42B82A2D84872ABB45975852DB340E8DEAF3F9D965191B0E73B8186D1D2A42C7DD4F74EA1C740E9D0F363285D2E637AB71E51D8AD0EDF6FE7A993B53C8FC4
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                              • Antivirus: Virustotal, Detection: 43%, Browse
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L....}.e.....................L.......g............@.................................K.C.....................................t(..d.......p.............C.x........... ...8........................... ...@............................................text.............................. ..`.rdata.............................@..@.data...H....@....?..&..............@....rsrc...p.............B.............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\AO0lQiXja0SJ1xVYKQpJ0RgU.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):4396408
                                                                                                                                                                                                                              Entropy (8bit):7.971773908633874
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:98304:KkZ2HRjDxUqNRSWw/fdG0ya8lhbNKCN+OMuHRmn++CozeYuDm:LZ2x3CqNcHdGTLNp+F+8elDm
                                                                                                                                                                                                                              MD5:281F44C8C6F0CFBC293E1FDB8B3EE782
                                                                                                                                                                                                                              SHA1:CB1ABAA337D77C1B8AE1502AE0C8B47027EE7FA7
                                                                                                                                                                                                                              SHA-256:72A115F25006EEF0B5762B7EF5E8644D13EB1A42A8D0FBAEEFAB1E07F7B34C64
                                                                                                                                                                                                                              SHA-512:CBA42B82A2D84872ABB45975852DB340E8DEAF3F9D965191B0E73B8186D1D2A42C7DD4F74EA1C740E9D0F363285D2E637AB71E51D8AD0EDF6FE7A993B53C8FC4
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                              • Antivirus: Virustotal, Detection: 43%, Browse
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L....}.e.....................L.......g............@.................................K.C.....................................t(..d.......p.............C.x........... ...8........................... ...@............................................text.............................. ..`.rdata.............................@..@.data...H....@....?..&..............@....rsrc...p.............B.............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\BScYPWRXjjJsm0UZKd8ZE404.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):5388160
                                                                                                                                                                                                                              Entropy (8bit):6.884126544344988
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:98304:d0NFR6666666666666666666666666666666x666666666666666fwwwwwwwwwwD:2PMki6zio75L3pf3dedO4keCIwkoYbgj
                                                                                                                                                                                                                              MD5:69E1ABABF2EDDB10050CF8F77602BBE5
                                                                                                                                                                                                                              SHA1:FD197C40FCDCB2585295FB1E1A3E7D81B04C65B1
                                                                                                                                                                                                                              SHA-256:7F6DAE24C6A7439C6894CA16A7376D87DE4CB64BE83CDBBE24E78AC7B9F9D749
                                                                                                                                                                                                                              SHA-512:42499B0E2E2BFAB62374142BC11A664B24ECC160D2980510B17123F139C8F91DE504F39BD80BB244EC0365A200D3FAFDCEBA0077A69D774EC7C4FAEC83A14236
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...zL.f.........."......Z....M.....|*............@..........................`R.....MHR...@.....................................P........{L...........R..+... R..7..`...............................8q...............................................text....X.......Z.................. ..`.rdata.......p.......^..............@..@.data....4...P.......8..............@....tls.................V..............@....rsrc....{L......|L..X..............@..@.reloc...7... R..8....Q.............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Ckxihb2NQynZLzb7wQqDjQv3.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):462337
                                                                                                                                                                                                                              Entropy (8bit):7.165289332124068
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:6144:52bjG4z4HGToSUG/Xfl+jE2TgEVGuIrsvi6WTQo4PWcvhN/EdLTRLf:5kjGgToSUGP0hxGuPv+MaLlLf
                                                                                                                                                                                                                              MD5:3A4982B7D2352FB3089C01B9F33C25EB
                                                                                                                                                                                                                              SHA1:A87055A316E5E1227C237E0A44A941F98F583419
                                                                                                                                                                                                                              SHA-256:7A0BC7FD96BE7CDA19119D1FEEFA81196225786D98FDDD5E1AB5103C21F6CBC5
                                                                                                                                                                                                                              SHA-512:048675D6AA6F99B6EA6E5577D024A7B314D522C81BA867F2E2013D1839DB0D6C0947A1C67E2E5B905B577EDEB153C16D9ECFF6D386E96D59C4836BE3BE967509
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                              • Antivirus: Virustotal, Detection: 44%, Browse
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L......c.....................P.......g............@................................N........................................(..d.................................. ...8........................... ...@............................................text.............................. ..`.rdata.............................@..@.data.......@.......&..............@....rsrc..............................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\D0v59fae1RRLyzPSbsQoGGZK.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):4396408
                                                                                                                                                                                                                              Entropy (8bit):7.971773908633874
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:98304:KkZ2HRjDxUqNRSWw/fdG0ya8lhbNKCN+OMuHRmn++CozeYuDm:LZ2x3CqNcHdGTLNp+F+8elDm
                                                                                                                                                                                                                              MD5:281F44C8C6F0CFBC293E1FDB8B3EE782
                                                                                                                                                                                                                              SHA1:CB1ABAA337D77C1B8AE1502AE0C8B47027EE7FA7
                                                                                                                                                                                                                              SHA-256:72A115F25006EEF0B5762B7EF5E8644D13EB1A42A8D0FBAEEFAB1E07F7B34C64
                                                                                                                                                                                                                              SHA-512:CBA42B82A2D84872ABB45975852DB340E8DEAF3F9D965191B0E73B8186D1D2A42C7DD4F74EA1C740E9D0F363285D2E637AB71E51D8AD0EDF6FE7A993B53C8FC4
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                              • Antivirus: Virustotal, Detection: 43%, Browse
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L....}.e.....................L.......g............@.................................K.C.....................................t(..d.......p.............C.x........... ...8........................... ...@............................................text.............................. ..`.rdata.............................@..@.data...H....@....?..&..............@....rsrc...p.............B.............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\EEmi2L6GuCPkhaixWFWgtXmC.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):7446
                                                                                                                                                                                                                              Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                              MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                              SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                              SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                              SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\GNcg3yiDrmzw07ZdoxfNbs1v.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):5128704
                                                                                                                                                                                                                              Entropy (8bit):7.955603913831852
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:98304:6eZ9klwlIGDH8gNN0/Y1pQtU4bizh9OjA+upZPdA5Jtfzq/sH0aN2CvV:6eZ9owNeZtU4FBuL1A5Lu/sH0g
                                                                                                                                                                                                                              MD5:A25CDF843E60F609B970AC9414170A7A
                                                                                                                                                                                                                              SHA1:9D0FEE8C64C58D674D383654A4391B8E41D994DC
                                                                                                                                                                                                                              SHA-256:109A993670756619DB430191F217236914602B1AAC6FE093E1B8B1887CC3D9F9
                                                                                                                                                                                                                              SHA-512:E4DC2979919C8ECFB2A09FD78446DB57483E74FF2E3DDCB498D0718590EF0E9021424D6656822921D41B648A36253E9275045B2E4931F94F00C474B73444C6FD
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 61%
                                                                                                                                                                                                                              • Antivirus: Virustotal, Detection: 52%, Browse
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......f.........."....'.....D........r........@.............................`.......TN...`...................................................f......P..........,............0..D............................r.(....,..@.............^..............................text............................... ..`.rdata..Fp..........................@..@.data...............................@....pdata.......P......................@..@_RDATA.......P......................@..@...N......`......................`..`...N... ..p5.....................`..h.vmp#.V7t....U..................... ..`.vmp#.VP.....^.....................@....vmp#.V<.M.. ^...M.................`..h.reloc..D....0........M.............@..@.rsrc........P.......&M.............@..@................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\JN1IXYA8ssOWcLaqrtfgX1Ue.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):5388160
                                                                                                                                                                                                                              Entropy (8bit):6.884127351666352
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:98304:J0NFR6666666666666666666666666666666x666666666666666fwwwwwwwwwwo:aPMki6zio75L3pf3dedO4keCIwkoYbgI
                                                                                                                                                                                                                              MD5:CD54757EAFA70E59850F77982FAFCB49
                                                                                                                                                                                                                              SHA1:C339E58CD44295099CFFD1AB783FCC65A5A9913F
                                                                                                                                                                                                                              SHA-256:39D50F4716DAEF3C7B75E4DE57441390026036507E9B1676A927B85808BB526F
                                                                                                                                                                                                                              SHA-512:94B24A1E28CD7FE880C2CA6AA21DEFD92CA2B6B5000208A5F8528E4DED777647616D44818C42257C8C6C5F2B95BDE8C484DFE8AF5DFC0DBB198958F93E7D6D33
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...zL.f.........."......Z....M.....|*............@..........................`R.......R...@.....................................P........{L...........R..+... R..7..`...............................8q...............................................text....X.......Z.................. ..`.rdata.......p.......^..............@..@.data....4...P.......8..............@....tls.................V..............@....rsrc....{L......|L..X..............@..@.reloc...7... R..8....Q.............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\JeZCwGu4yuVGGxFvnw3BIkJ1.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):5388160
                                                                                                                                                                                                                              Entropy (8bit):6.884126021626081
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:98304:l0NFR6666666666666666666666666666666x666666666666666fwwwwwwwwwwZ:+PMki6zio75L3pf3dedO4keCIwkoYbg5
                                                                                                                                                                                                                              MD5:1560C8B87E585F41D68CB050AE0CF052
                                                                                                                                                                                                                              SHA1:6919DDFE2A4475883092257E9B8B12DE0811D1FC
                                                                                                                                                                                                                              SHA-256:D22C0AF0FC10A88FE2B59AE051951EB6DFF323D7A4C145C80AFCD69D9FD52A02
                                                                                                                                                                                                                              SHA-512:5E645243F8E44E28CFF5113B683ED97713DCCB56A6DB1E8B13905FEE9007C76B177F607E0343C69B3D8FC0BD0899D8C515FC86E5EDB985159CC4A61BB56C1B13
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...zL.f.........."......Z....M.....|*............@..........................`R......HR...@.....................................P........{L...........R..+... R..7..`...............................8q...............................................text....X.......Z.................. ..`.rdata.......p.......^..............@..@.data....4...P.......8..............@....tls.................V..............@....rsrc....{L......|L..X..............@..@.reloc...7... R..8....Q.............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\KV2qLRPax2onnz5Ndu1Z5G5q.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):5388160
                                                                                                                                                                                                                              Entropy (8bit):6.884125378117049
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:98304:/0NFR6666666666666666666666666666666x666666666666666fwwwwwwwwwwy:MPMki6zio75L3pf3dedO4keCIwkoYbgS
                                                                                                                                                                                                                              MD5:B1D3A17EDD5DACC6B98BEC740C1B4A2F
                                                                                                                                                                                                                              SHA1:9E059C6CE6AC7E32D848B29026C34A5D0C1599F0
                                                                                                                                                                                                                              SHA-256:92A81D1CF0DADC90DEA8BD297EAA153A755B3B972D77D141E39C03F76C2D8B28
                                                                                                                                                                                                                              SHA-512:3F9914FE9C10AB719814BEC9625D2BF3F0A564F814FF6AFAC082BEB594D14831640BB2E59A3CA8B1E7F3E9AAB26AA4A416D25C11A752858202B02625995BD505
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...zL.f.........."......Z....M.....|*............@..........................`R.......S...@.....................................P........{L...........R..+... R..7..`...............................8q...............................................text....X.......Z.................. ..`.rdata.......p.......^..............@..@.data....4...P.......8..............@....tls.................V..............@....rsrc....{L......|L..X..............@..@.reloc...7... R..8....Q.............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\KWbVzicuAiSBYHryJZst17v9.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):7446
                                                                                                                                                                                                                              Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                              MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                              SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                              SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                              SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\KZrOTs6FcYbq3nj2hpYsaJil.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):4396408
                                                                                                                                                                                                                              Entropy (8bit):7.971773908633874
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:98304:KkZ2HRjDxUqNRSWw/fdG0ya8lhbNKCN+OMuHRmn++CozeYuDm:LZ2x3CqNcHdGTLNp+F+8elDm
                                                                                                                                                                                                                              MD5:281F44C8C6F0CFBC293E1FDB8B3EE782
                                                                                                                                                                                                                              SHA1:CB1ABAA337D77C1B8AE1502AE0C8B47027EE7FA7
                                                                                                                                                                                                                              SHA-256:72A115F25006EEF0B5762B7EF5E8644D13EB1A42A8D0FBAEEFAB1E07F7B34C64
                                                                                                                                                                                                                              SHA-512:CBA42B82A2D84872ABB45975852DB340E8DEAF3F9D965191B0E73B8186D1D2A42C7DD4F74EA1C740E9D0F363285D2E637AB71E51D8AD0EDF6FE7A993B53C8FC4
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                              • Antivirus: Virustotal, Detection: 43%, Browse
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L....}.e.....................L.......g............@.................................K.C.....................................t(..d.......p.............C.x........... ...8........................... ...@............................................text.............................. ..`.rdata.............................@..@.data...H....@....?..&..............@....rsrc...p.............B.............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Kocn1QGnt5lNON74XhjpO8L3.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):7446
                                                                                                                                                                                                                              Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                              MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                              SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                              SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                              SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\inte[1].exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):343552
                                                                                                                                                                                                                              Entropy (8bit):6.7047176909836566
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3072:XRKcLCu7bjrfJE0OlCV0+L/h+nPO9lhE6Vh5MaYo8DU06kgTJW7E1LeUOUkEqiQJ:EEbj9ecVRL/hHVhVJ06fTJpfq0zxJL5
                                                                                                                                                                                                                              MD5:540F70094794C16274ABCD644DFE7738
                                                                                                                                                                                                                              SHA1:9C644CF30F5BB34E824E2C73A761AAE159900547
                                                                                                                                                                                                                              SHA-256:0DDADD676CA7814044645E7E230F25A9E1BFEF479582179D22AB4A26F962B5D9
                                                                                                                                                                                                                              SHA-512:20206DFA3F7D4A144B2158D2FFA7F101B95CEA396D377A4DACE47CB010C75B1F3E5FE79065A2B03DAAF4EB98EC43A01AF7A66E89A2D8170B1CB9970D17C675BB
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                              • Antivirus: Virustotal, Detection: 48%, Browse
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L....T.e.............................g............@.......................... .............................................t(..d.... ..p........................... ...8...................h....... ...@............................................text.............................. ..`.rdata.............................@..@.data...H...@...&...&..............@....rsrc...p.... .......L..............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\setup294[1].exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):2188562
                                                                                                                                                                                                                              Entropy (8bit):7.94338433261686
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:49152:CvxfXTFb1TJDfeQ3ZPSdivgGasStYLXbCKsVZ4:CvxBzfe6Kdi4GasoU2KCZ4
                                                                                                                                                                                                                              MD5:309E2C38AED62655F7CF09CFCD40A56A
                                                                                                                                                                                                                              SHA1:A235B5E71D665DDD520443DBA2FD42E0F89E3FDF
                                                                                                                                                                                                                              SHA-256:0B9A3732229105BFCBFD661BAEC73D588F4FE63F1A8F5DE162607874737DC0D4
                                                                                                                                                                                                                              SHA-512:642354A2A0A475AA979E44C00198761DB6E3C0C10075C8D4F44B6B1F43760C49784D9BB6ABCCAF18E0F7CE762CD931708AAD572C87EEDFB03E821749E46CC09C
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......#.=lgwS?gwS?gwS?..?jwS?..?.wS?..?.wS?...?ewS?..W>twS?..P>qwS?..V>UwS?n..?lwS?n..?`wS?gwR?ovS?..V>AwS?..S>fwS?...?fwS?..Q>fwS?RichgwS?........................PE..L...`..e...............!.............m............@.......................................@.........................`:..4....:..P...............................d*..@...T...........................@...@...............,....0.......................text.............................. ..`.rdata..............................@..@.data....\...P.......:..............@....didat..x............J..............@....rsrc................L..............@..@.reloc..d*.......,...,..............@..B................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\timeSync[1].exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):316928
                                                                                                                                                                                                                              Entropy (8bit):6.544910731342647
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:6144:JXkws5FHvbaXTLC42m+g51uHct7jGZyL:JUwsvbaXTLCfg514ct7aw
                                                                                                                                                                                                                              MD5:867B7D371368F7872DA473E89646AA0B
                                                                                                                                                                                                                              SHA1:632E18C92F4E304DFF18F8C6ACFE165D7F5F538C
                                                                                                                                                                                                                              SHA-256:CA3CB9514C8544017CEF8E68C76D4ABBB7028019D2DB0C4AC4D88C29700743DC
                                                                                                                                                                                                                              SHA-512:D5B492E5B15264F47F4C811BB0BC7584C3A914839A2D1EF962C217E6091203C72434EFB2D2100097A75B8BDAD007B1EC2A6849D51839BF1B23ECEB47802D1E86
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 42%
                                                                                                                                                                                                                              • Antivirus: Virustotal, Detection: 47%, Browse
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L.....Ed.............................g............@..........................................................................(..d.......p........................... ...8........................... ...@............................................text.............................. ..`.rdata.............................@..@.data....x...@.......&..............@....rsrc...p...........................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\PL_Clients[1].bmp

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exe
                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):5077012
                                                                                                                                                                                                                              Entropy (8bit):6.713227789841581
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:49152:pVJXO9PUAjyyUWbeBV3XEWkMgv3KT0RJ3P23QM+IL6:pVJUPZjjUWbg3UYgv6SpP2gMC
                                                                                                                                                                                                                              MD5:1047B1F6A74DA3574E0995A5A122489A
                                                                                                                                                                                                                              SHA1:3E0A1BECFD48F15CE486E85B1D2F29D079388B43
                                                                                                                                                                                                                              SHA-256:F8D58AFC94CE91D30BEC6308306132E23A888D0B6D95DB461E4D5F9F7DFBEB51
                                                                                                                                                                                                                              SHA-512:55B8CF3817E86EB0665CFCB2C94F4A59CF1026DBA202D5644D2DE2E2685A8DEDE8CE51B07C822F3B76126B98FEFC4F0B2DEA4C0B548511DE2EFDB9CB008E7B36
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:..fUXO......................................................................4..Y.4A}|f5egzrgtx5vt{{za5wp5g`{5|{5QZF5xzqp;...1.........gf...5...5...5..4...5...4a..5...4...5o7.5...5o7.4..5o7.4...5o7.4...5...4...5...5K..5^4.4..5^4.5...5...5...5^4.4...5G|v}...5................EP..Y......s...............2...../......../.......................................I.....P.[.......................................1..........J....................I..............................E1.....................................................55555555.........y..................5..u55555555k............e..................55555555............g..................;gfgv....J.......u......................55555555......6..G.....................W;|qtat........1......!U.................;ayf.........E1......#U.................;a}px|qt..-..u1...-..-U.............u...;gpyzv........I......mX.....................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\cad54ba5b01423b1af8ec10ab5719d97[1].exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):4396432
                                                                                                                                                                                                                              Entropy (8bit):7.971776651930106
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:98304:CkZ2HRjDxUqNRSWw/fdG0ya8lhbNKCN+OMuHRmn++CozeYuDK:zZ2x3CqNcHdGTLNp+F+8elDK
                                                                                                                                                                                                                              MD5:B771700D69018054DD943B925FEA644C
                                                                                                                                                                                                                              SHA1:4E2F78B445F72BA9047E1C3B04D3038F02EDBE44
                                                                                                                                                                                                                              SHA-256:D17AD1DCBAFC3D794863720E3ADBB64FEC117549A51858DB3BE7B7B7F3BC63F9
                                                                                                                                                                                                                              SHA-512:5FDE1B9785B13073394F355F627B28932AA436A50A9FC4B93C8F6E2E2BC92CBFA00479BA23339F67D7721BBFF5A0EDDFDCE471C00FD9BC6D6BB27E7E93AC4F32
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L....}.e.....................L.......g............@.................................K.C.....................................t(..d.......p.............C............. ...8........................... ...@............................................text.............................. ..`.rdata.............................@..@.data...H....@....?..&..............@....rsrc...p.............B.............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\crypted[1].bmp

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exe
                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):334964
                                                                                                                                                                                                                              Entropy (8bit):7.705017859990294
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:6144:/gVZRnlVauSzupCXYHbqlK1CRdKKvTNyykMiMqMOMU2RKUDsbtv:/gPRDECpCXY7UKKvTNyykMix2cVR
                                                                                                                                                                                                                              MD5:FCCE3C5D035DDB86B641DAD9E995A875
                                                                                                                                                                                                                              SHA1:3D61D915A9B27D2BC086481995D48624E3CFF674
                                                                                                                                                                                                                              SHA-256:F3F19E11D647C218078DC26444E72A3AA0F35D0AB27C9BBACA9214D45165EA6B
                                                                                                                                                                                                                              SHA-512:9EBB3E40D8FEE928914155DF1ACFED421B7CA7D3320264F6B0CD4837C1ADA75C48354E5D5683BB08A2005C2CC12B42C7C16C2B225814E7EAD71829EBE572A52E
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:..fUXO......................................................................4..Y.4A}|f5egzrgtx5vt{{za5wp5g`{5|{5QZF5xzqp;...1.........V.[.8.[.8.[.8...;.Q.8...=..8...<.O.8..1=.}.8..1<.I.8..1;.I.8...9.^.8.[.9...8..21.Z.8..2.Z.8..2:.Z.8.G|v}[.8.........................EP..Y.....5s...............2.9..........v........................................%..............................................Q...).......................e3......5......................................................=...........................;apma...[?.......9..................5..u;gqtat...........y...%..................;qtat...Y[.......S......................;gfgv...................................;gpyzv..5..............................W............................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\files[1].bmp

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exe
                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):4825092
                                                                                                                                                                                                                              Entropy (8bit):7.3637959961825254
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:98304:zrcM2qW+CtfomFAJPhD6yJic8zmzmRE3sahm:tZCY5DhJinzmmosaA
                                                                                                                                                                                                                              MD5:C4F37EC04EECD2873018F55412B23348
                                                                                                                                                                                                                              SHA1:4438C303C59C47B6064854B7D922E4998974FE00
                                                                                                                                                                                                                              SHA-256:D0ADEAE76A52B284784DEC96E3195BA67D55F9070A855DE88E87F2E352BB6A76
                                                                                                                                                                                                                              SHA-512:B5585462284F7F7A2E409E9FA4427ACD1374B3D74D6CC359A24B40B6EC7BFBB68E852344B4BDDB1091C5C4687928FE6905B838A8165EE5B4CF0A80E1DB5EEFDF
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:..fUXO......................................................................4..Y.4A}|f5egzrgtx5vt{{za5wp5g`{5|{5QZF5xzqp;...1.......EP..Y....#...............E..O]..Q......;m]..5....]......5........................_..............................................b].^.....].......................\......................................................5...............5..]...........;apma...!M]..5...O].................5..u;gfgv.........]..W...I].................;gpyzv........\.......\................W.................m].....]........e...........U...d..............................................#>.=.<y.=.U..?../>.=!.@..=....?.C>.=m@.\..=....-.....?..W>.=...)k.......?...#>.=^"DZk....?...%..........>.=..}F5........-........P........ ...3...-....f.........5.....,....35....-....?f.........-:...f.........5.....,....35....-....f.........-....f.........-........%..>.......>.=.. "-......?-....-.....k....z......-......%..>.......>.=|2[w-......?.k....z......-....-....-......%..3.......>.=.I_+.k....z..

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\setup[1].htm

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exe
                                                                                                                                                                                                                              File Type:HTML document, ASCII text
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):327
                                                                                                                                                                                                                              Entropy (8bit):5.301576517537887
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:6:pn0+Dy9xwol6hEr6VX16hu9nPzATV4SiKRzeZAUyBFEcXaoD:J0+ox0RJWWPzuzlwAULma+
                                                                                                                                                                                                                              MD5:9C979EB881F53B52060142DC127ACC6D
                                                                                                                                                                                                                              SHA1:D77E0BEB384F45C7EF01FEF98F5DEBA0DEA07C15
                                                                                                                                                                                                                              SHA-256:3FCBA2835E4E13EB1E0E71C8551655823D92BDCB3E446897CDC256B93F9ADCC3
                                                                                                                                                                                                                              SHA-512:C45B0C8FAF43B6D01EFB4AEC9834146F72DA3D0AFC615CA7DB0DF3B651B68131A144674282D02155297D5A76FA7330217BF758535F785916C9F592C9170BC5C8
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>301 Moved Permanently</title>.</head><body>.<h1>Moved Permanently</h1>.<p>The document has moved <a href="https://c.574859385.xyz/525403/setup.exe">here</a>.</p>.<hr>.<address>Apache/2.4.55 (Unix) Server at monoblocked.com Port 80</address>.</body></html>.

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\71be4917[1].exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):318464
                                                                                                                                                                                                                              Entropy (8bit):6.547791907799988
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3072:kpmcLlzbB0rV5n7CzvfHT99+nPGEl8G2TQVWyS7xAYjhMp70nFXXa6uF4W6vc2m:/qB0772v/T99oVmA370nFXKXF4W602
                                                                                                                                                                                                                              MD5:919F8F761910803D4FDAB592DBBEE63C
                                                                                                                                                                                                                              SHA1:819C861043EA6BA0D69D48A56E1F8A0C295EAF83
                                                                                                                                                                                                                              SHA-256:FC1D13A97211887DFA7767DAA27817C1575834899D9F47A674F81D288230DF6E
                                                                                                                                                                                                                              SHA-512:69E13430652A6855F9CFA4DF964F3BDEBADBFC8D405B06330706E7A273A5D06B34836864EDA4B792FA46EAEF1B7CED10F7C2E024C7F9E09B329938D511D481EE
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L....Z.c.............................g............@.........................................................................t(..d.......p........................... ...8........................... ...@............................................text.............................. ..`.rdata.............................@..@.data....|...@.......&..............@....rsrc...p...........................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\7725eaa6592c80f8124e769b4e8a07f7[1].exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):4396424
                                                                                                                                                                                                                              Entropy (8bit):7.971776907219028
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:98304:6kZ2HRjDxUqNRSWw/fdG0ya8lhbNKCN+OMuHRmn++CozeYuDv:7Z2x3CqNcHdGTLNp+F+8elDv
                                                                                                                                                                                                                              MD5:B8A886917F1F5AC4B6B6D85592BA5FAE
                                                                                                                                                                                                                              SHA1:F79435A483AE68FBC7843F599721429B53D67C1E
                                                                                                                                                                                                                              SHA-256:581D748ADD7C355C0B9A75A8E2FBBE1D9098562C57E05BDD2F30EC45AB5B5390
                                                                                                                                                                                                                              SHA-512:7F37566F8DEDCBA66E12C012E082B4A7DF53D767F78525CFCE1C59067921B8ACB756C7496AE74F8B742393F0DBAB48E32E63A1F23621EAEFDA4EE331E1F1589A
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L....}.e.....................L.......g............@.................................K.C.....................................t(..d.......p.............C............. ...8........................... ...@............................................text.............................. ..`.rdata.............................@..@.data...H....@....?..&..............@....rsrc...p.............B.............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\Extension__Installer[1].exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exe
                                                                                                                                                                                                                              File Type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):303104
                                                                                                                                                                                                                              Entropy (8bit):6.1282620196226825
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:6144:5pUtp57JgcC9umP9mQwFpaSPBu+opYh/MLlRjdV55Y14PLckdK:Y7Ydfbe8uBuhpk/wd5HjVg
                                                                                                                                                                                                                              MD5:3920320ABE977A8205C64894CA6C7E03
                                                                                                                                                                                                                              SHA1:C7B79862B48101986F1CB72F4298055B4238C617
                                                                                                                                                                                                                              SHA-256:95ABB1FF23E79D1CCB8A08F9802FD8D3358F2F7F6895494F06EAD92AE39AE0BA
                                                                                                                                                                                                                              SHA-512:AACD03DB1EF36B6978632DC2E3E1F3A2DA82576C15750E8359238CB104333BE7F9D2C8B3D4A12BB2A8DDA1CD69C7F6149A77EC2C09197C219FF8B657DE72DD71
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....b..........."...0.................. .....@..... ....................................`...@......@............... ..............................................................<...8............................................................ ..H............text........ ...................... ..`.rsrc...............................@..@........................................H....... +...&...........Q..hd...........................................0...........(....&.s.......s......o....o.....+B.o.......o....(.......o....(....,...(....&+...(....(....&....(.....o....-....,..o .....,..o .....,..o ....*..(....".Np..........dz..........v........0..........(....(!...~....(......&..*....................("...*V(#...r...p(.........*...,...%.r...p.%.~....ri..p($....%.~....r...p($....%.r...p.*...,...%.~....r...p($....%.~....r...p($....%.r...p.%.r...p.*...,...%.~....

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\Opera_109.0.5097.45_Autoupdate_x64[2].exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Users\user\Pictures\kuRSiZPmKhbW1guMqYXCvrAu.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):108893416
                                                                                                                                                                                                                              Entropy (8bit):7.999992755622592
                                                                                                                                                                                                                              Encrypted:true
                                                                                                                                                                                                                              SSDEEP:3145728:BBFS7Vpknp2sTT4bt+vy45oRmdfAKLlEPE:Bza6p2sT8btA59dd5EPE
                                                                                                                                                                                                                              MD5:5014156E9FFBB75D1A8D5FC09FABDC42
                                                                                                                                                                                                                              SHA1:6968D1B5CEC3039E53BBBEDEEE22E2D43D94C771
                                                                                                                                                                                                                              SHA-256:7A01E11E1830BA3C154E5A6C383DA15938B1E48F89A2FE4045CDD260924B6802
                                                                                                                                                                                                                              SHA-512:BFC5C44881D0FA7BCBCCFD530D874FA624ADEC50E1A16063A72DE12876D2DB10CA5EDD6FA841EA63E9DECA3FF2ADF54065F50719FE051D41DE92BB68EDBA4016
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ`.....................@...................................`...........!..L.!Require Windows..$PE..L...'..P.................(...F.......-.......@....@..................................z~......................................b......................Hk}..)...........................................................@..d............................text....&.......(.................. ..`.rdata...5...@...6...*..............@..@.data....)...........`..............@....rsrc................h..............@..@........U..`.A.......S3.;.VWt.f9.b.A.t...`.A.P....P.|..Y.nj'.v....u..v..=.BA..6P......P....9^..].v8.^..3......hhDA.P..........P......P..pAA..E..E....;F.r......P.J|..Y.24..j...lAA...t$..D....3.9.H.A.t...@....9D$.t..t$.Ph.....5@.A....BA.3.....D$..`...|$..u..@.....3.....t$..D$..t$...`.A......t$...P.Q..%`.A...D$...V...t...P.Q...^...VW.|$.....t...W.P.....t...P.Q..>.._^....T$..L$....f..AABBf..u..L$.3.f9.t.@f.<A.u..S.\$.V..C;^.tLW3.j.Z...........Q.......3.9F.Y~.9F.~...f..Af..G@;F.|..6....

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\060[1].exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):5132515
                                                                                                                                                                                                                              Entropy (8bit):7.9989710005062715
                                                                                                                                                                                                                              Encrypted:true
                                                                                                                                                                                                                              SSDEEP:98304:edvpKKEk7iDhtjYagGe5e5Nbx0U9WNuKnLYUhymVb2:ihwYiDfjgQWFLphJC
                                                                                                                                                                                                                              MD5:F7900D3A6E3F0A09BA62AC64B9290B34
                                                                                                                                                                                                                              SHA1:A48992FBDA2A879AA3A03D2FB319D4975EDD218B
                                                                                                                                                                                                                              SHA-256:8B0BB592AC99DC7FFBF70BFCFADABABB7BAD4E7AEFC8C8E965BFEE66ABDBC8AE
                                                                                                                                                                                                                              SHA-512:134C9F8276B9D48FF0C174D61B3618D7E52852C6BC7AE08146B352E7476BCA0F5330BC712D89F207E2443A956C809FDAF46F390DDD1A5F8C2FCBA2670D445070
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................B...................@..........................0...................@..............................B........(..........................................................................................................CODE................................ ..`DATA....H...........................@...BSS.....4................................idata..B...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc....(.......(..................@..P.............0......................@..P........................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\crypted[1].bmp

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exe
                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):427524
                                                                                                                                                                                                                              Entropy (8bit):7.797596739400079
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:12288:kUBwGC0lwC1CdJn7sUQGk1jCwiUlG9XdyQn3YgUxw8IyH:+GOoUQ/uy89XN3YgUaG
                                                                                                                                                                                                                              MD5:6374B40C86981C6389B71F562D125E56
                                                                                                                                                                                                                              SHA1:7EECB0D8AEB1D830C529A281BD2B6F0BB2D75437
                                                                                                                                                                                                                              SHA-256:EFD92C46FAC78F6BEE40DFBB14EF3279AB7B0C5F7CB8AEAB4B2D87189A819B2D
                                                                                                                                                                                                                              SHA-512:CF55FAB31F4976D528D68FA6822E94988A02C073A7536936757D7A242867A59AC6870C3E07697562063582AF4A4C4320B09AA0D446EE88A11244FBF16026BD20
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:..fUXO......................................................................4..Y.4A}|f5egzrgtx5vt{{za5wp5g`{5|{5QZF5xzqp;...1............L..L..L...M..L...MI..L...M..L.,.M..L.,.M..L...M...L..L...L.,.M..L6/.M..L6/"L..L6/.M..LG|v}..L................EP..Y....y.s...............2.%...I......r...........................................................................................)...................................e...................................................=...........................;apma...^;.......%..................5..u;gqtat..Sx.......{...!..................;qtat...................................;gfgv................g..................;gpyzv...............a.................W....................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\imgdrive_2_1[1].bmp

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exe
                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):6153220
                                                                                                                                                                                                                              Entropy (8bit):6.377643292816472
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:98304:MpfBkrNIUp96am5aY7LfSnlu0SBT113oufTkPH8BhwtAhWYxO703uw:MjmIU6SYV711ZTkEBhwwxO7Kuw
                                                                                                                                                                                                                              MD5:7B284CFC3CDF77F706342B3286160AE4
                                                                                                                                                                                                                              SHA1:33BA021D323680BECE781474CD2E36949D502DBF
                                                                                                                                                                                                                              SHA-256:96C140DC6A89A13861DFFB8BCF7FF312AB521E31844800199A6F8B9686478B70
                                                                                                                                                                                                                              SHA-512:539DBB8CD1FCF9983DCF28B7C12619BE83DA4C2CDAB74C30804C655D4E5577F5DC99B21277F3607A7D7D3D027C31BEE6446779A1AB77A9B5EA7EAA4F6298CA47
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:..fUXO......................................................................4..Y.4A}|f5egzrgtx5vt{{za5wp5g`{5|{5QZF5xzqp;...1.......EP..q.................;....1..3...H..............................................%q.....h.K...u...5......................................5w.[....%w......ew.R.....N..............Ev..............................9N.=...................i!w.............................;apma.....3.......3.................u.uu;qtat.........2.......3...............u.;gqtat....;...9...;..i9...............u.;eqtat........N......=N...............%.;mqtat..Q....%I.......I...............%.;wff..........I.......................u.;pqtat..[....5w.......I...............%.;|qtat.......%w.......I...............%.;VGA....e....Ew......%I.................;ayf.........uw......'I.................;gfgv...R....ew......!I...............%.;gpyzv.......Ev.......H...............%W............................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\setup[1].exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):6645997
                                                                                                                                                                                                                              Entropy (8bit):7.9960820227785065
                                                                                                                                                                                                                              Encrypted:true
                                                                                                                                                                                                                              SSDEEP:98304:91Obp2zjJY231tFaCYTlZE1JLFSNGw6eJm5JeHxFKw7/X26jOnCB9XmtPtX4S8Bf:91OF2zjVpYD8vDwJmaHxbS2Os9qP0eEV
                                                                                                                                                                                                                              MD5:8433EAED37248E24EB963A444E5E1EED
                                                                                                                                                                                                                              SHA1:8D004418690587FC541547B2D0EFE2CFD629FBBA
                                                                                                                                                                                                                              SHA-256:7B4A250930BECEDC17B8D67DFEB39EE143B03466E85D2D77282AA52014BCA196
                                                                                                                                                                                                                              SHA-512:8656B020A34F6300F79675954DD56587E7678EC46DE92E53FC945E5FEFA476504761DB0FB0AD6F3C2C9F97D52CDD3767399EB8FC8655BCE5E77C40C1BE99BF56
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........W..s...s...s...}...s...y..s...,...s...r.!.s.......s...x..s.......s.......s.^.u...s.Rich..s.........PE..L....S.L.............................K............@.............................................................................d....p..`............................................................................................................text.............................. ..`.rdata...D.......F..................@..@.data...HZ.......2..................@....sxdata......`......................@....rsrc...`....p......................@..@................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):64
                                                                                                                                                                                                                              Entropy (8bit):1.1940658735648508
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:NlllulJnp/p:NllU
                                                                                                                                                                                                                              MD5:BC6DB77EB243BF62DC31267706650173
                                                                                                                                                                                                                              SHA1:9E42FEFC2E92DE0DB2A2C9911C866320E41B30FF
                                                                                                                                                                                                                              SHA-256:5B000939E436B6D314E3262887D8DB6E489A0DDF1E10E5D3D80F55AA25C9FC27
                                                                                                                                                                                                                              SHA-512:91DC4935874ECA2A4C8DE303D83081FE945C590208BB844324D1E0C88068495E30AAE2321B3BA8A762BA08DAAEB75D9931522A47C5317766C27E6CE7D04BEEA9
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:@...e.................................X..............@..........

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\N96vu2CQjxii1alDjKixgxro.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):462337
                                                                                                                                                                                                                              Entropy (8bit):7.165289332124068
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:6144:52bjG4z4HGToSUG/Xfl+jE2TgEVGuIrsvi6WTQo4PWcvhN/EdLTRLf:5kjGgToSUGP0hxGuPv+MaLlLf
                                                                                                                                                                                                                              MD5:3A4982B7D2352FB3089C01B9F33C25EB
                                                                                                                                                                                                                              SHA1:A87055A316E5E1227C237E0A44A941F98F583419
                                                                                                                                                                                                                              SHA-256:7A0BC7FD96BE7CDA19119D1FEEFA81196225786D98FDDD5E1AB5103C21F6CBC5
                                                                                                                                                                                                                              SHA-512:048675D6AA6F99B6EA6E5577D024A7B314D522C81BA867F2E2013D1839DB0D6C0947A1C67E2E5B905B577EDEB153C16D9ECFF6D386E96D59C4836BE3BE967509
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L......c.....................P.......g............@................................N........................................(..d.................................. ...8........................... ...@............................................text.............................. ..`.rdata.............................@..@.data.......@.......&..............@....rsrc..............................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\N9QaRzQ0AfOLtw4JsIq3BGlx.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):5128704
                                                                                                                                                                                                                              Entropy (8bit):7.955603913831852
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:98304:6eZ9klwlIGDH8gNN0/Y1pQtU4bizh9OjA+upZPdA5Jtfzq/sH0aN2CvV:6eZ9owNeZtU4FBuL1A5Lu/sH0g
                                                                                                                                                                                                                              MD5:A25CDF843E60F609B970AC9414170A7A
                                                                                                                                                                                                                              SHA1:9D0FEE8C64C58D674D383654A4391B8E41D994DC
                                                                                                                                                                                                                              SHA-256:109A993670756619DB430191F217236914602B1AAC6FE093E1B8B1887CC3D9F9
                                                                                                                                                                                                                              SHA-512:E4DC2979919C8ECFB2A09FD78446DB57483E74FF2E3DDCB498D0718590EF0E9021424D6656822921D41B648A36253E9275045B2E4931F94F00C474B73444C6FD
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......f.........."....'.....D........r........@.............................`.......TN...`...................................................f......P..........,............0..D............................r.(....,..@.............^..............................text............................... ..`.rdata..Fp..........................@..@.data...............................@....pdata.......P......................@..@_RDATA.......P......................@..@...N......`......................`..`...N... ..p5.....................`..h.vmp#.V7t....U..................... ..`.vmp#.VP.....^.....................@....vmp#.V<.M.. ^...M.................`..h.reloc..D....0........M.............@..@.rsrc........P.......&M.............@..@................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\NOigbqKnljqgR3qaRHEw5cN9.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):462337
                                                                                                                                                                                                                              Entropy (8bit):7.165289332124068
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:6144:52bjG4z4HGToSUG/Xfl+jE2TgEVGuIrsvi6WTQo4PWcvhN/EdLTRLf:5kjGgToSUGP0hxGuPv+MaLlLf
                                                                                                                                                                                                                              MD5:3A4982B7D2352FB3089C01B9F33C25EB
                                                                                                                                                                                                                              SHA1:A87055A316E5E1227C237E0A44A941F98F583419
                                                                                                                                                                                                                              SHA-256:7A0BC7FD96BE7CDA19119D1FEEFA81196225786D98FDDD5E1AB5103C21F6CBC5
                                                                                                                                                                                                                              SHA-512:048675D6AA6F99B6EA6E5577D024A7B314D522C81BA867F2E2013D1839DB0D6C0947A1C67E2E5B905B577EDEB153C16D9ECFF6D386E96D59C4836BE3BE967509
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L......c.....................P.......g............@................................N........................................(..d.................................. ...8........................... ...@............................................text.............................. ..`.rdata.............................@..@.data.......@.......&..............@....rsrc..............................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Obg7n5Z5efoxTsQrcye3Rd29.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):4396408
                                                                                                                                                                                                                              Entropy (8bit):7.971773908633874
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:98304:KkZ2HRjDxUqNRSWw/fdG0ya8lhbNKCN+OMuHRmn++CozeYuDm:LZ2x3CqNcHdGTLNp+F+8elDm
                                                                                                                                                                                                                              MD5:281F44C8C6F0CFBC293E1FDB8B3EE782
                                                                                                                                                                                                                              SHA1:CB1ABAA337D77C1B8AE1502AE0C8B47027EE7FA7
                                                                                                                                                                                                                              SHA-256:72A115F25006EEF0B5762B7EF5E8644D13EB1A42A8D0FBAEEFAB1E07F7B34C64
                                                                                                                                                                                                                              SHA-512:CBA42B82A2D84872ABB45975852DB340E8DEAF3F9D965191B0E73B8186D1D2A42C7DD4F74EA1C740E9D0F363285D2E637AB71E51D8AD0EDF6FE7A993B53C8FC4
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L....}.e.....................L.......g............@.................................K.C.....................................t(..d.......p.............C.x........... ...8........................... ...@............................................text.............................. ..`.rdata.............................@..@.data...H....@....?..&..............@....rsrc...p.............B.............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\OzuxsP18idUhxNQxYYbIiZFx.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):5128704
                                                                                                                                                                                                                              Entropy (8bit):7.955603913831852
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:98304:6eZ9klwlIGDH8gNN0/Y1pQtU4bizh9OjA+upZPdA5Jtfzq/sH0aN2CvV:6eZ9owNeZtU4FBuL1A5Lu/sH0g
                                                                                                                                                                                                                              MD5:A25CDF843E60F609B970AC9414170A7A
                                                                                                                                                                                                                              SHA1:9D0FEE8C64C58D674D383654A4391B8E41D994DC
                                                                                                                                                                                                                              SHA-256:109A993670756619DB430191F217236914602B1AAC6FE093E1B8B1887CC3D9F9
                                                                                                                                                                                                                              SHA-512:E4DC2979919C8ECFB2A09FD78446DB57483E74FF2E3DDCB498D0718590EF0E9021424D6656822921D41B648A36253E9275045B2E4931F94F00C474B73444C6FD
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......f.........."....'.....D........r........@.............................`.......TN...`...................................................f......P..........,............0..D............................r.(....,..@.............^..............................text............................... ..`.rdata..Fp..........................@..@.data...............................@....pdata.......P......................@..@_RDATA.......P......................@..@...N......`......................`..`...N... ..p5.....................`..h.vmp#.V7t....U..................... ..`.vmp#.VP.....^.....................@....vmp#.V<.M.. ^...M.................`..h.reloc..D....0........M.............@..@.rsrc........P.......&M.............@..@................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\QI8XvF6duFZ0OdsmbJPQIRnh.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):7446
                                                                                                                                                                                                                              Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                              MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                              SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                              SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                              SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\QULdLniTDqWIS6ivnfEkWMUZ.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):5128704
                                                                                                                                                                                                                              Entropy (8bit):7.955603913831852
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:98304:6eZ9klwlIGDH8gNN0/Y1pQtU4bizh9OjA+upZPdA5Jtfzq/sH0aN2CvV:6eZ9owNeZtU4FBuL1A5Lu/sH0g
                                                                                                                                                                                                                              MD5:A25CDF843E60F609B970AC9414170A7A
                                                                                                                                                                                                                              SHA1:9D0FEE8C64C58D674D383654A4391B8E41D994DC
                                                                                                                                                                                                                              SHA-256:109A993670756619DB430191F217236914602B1AAC6FE093E1B8B1887CC3D9F9
                                                                                                                                                                                                                              SHA-512:E4DC2979919C8ECFB2A09FD78446DB57483E74FF2E3DDCB498D0718590EF0E9021424D6656822921D41B648A36253E9275045B2E4931F94F00C474B73444C6FD
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......f.........."....'.....D........r........@.............................`.......TN...`...................................................f......P..........,............0..D............................r.(....,..@.............^..............................text............................... ..`.rdata..Fp..........................@..@.data...............................@....pdata.......P......................@..@_RDATA.......P......................@..@...N......`......................`..`...N... ..p5.....................`..h.vmp#.V7t....U..................... ..`.vmp#.VP.....^.....................@....vmp#.V<.M.. ^...M.................`..h.reloc..D....0........M.............@..@.rsrc........P.......&M.............@..@................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\S8ELmP46wfy25sPQImx4dfKP.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):4396408
                                                                                                                                                                                                                              Entropy (8bit):7.971773908633874
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:98304:KkZ2HRjDxUqNRSWw/fdG0ya8lhbNKCN+OMuHRmn++CozeYuDm:LZ2x3CqNcHdGTLNp+F+8elDm
                                                                                                                                                                                                                              MD5:281F44C8C6F0CFBC293E1FDB8B3EE782
                                                                                                                                                                                                                              SHA1:CB1ABAA337D77C1B8AE1502AE0C8B47027EE7FA7
                                                                                                                                                                                                                              SHA-256:72A115F25006EEF0B5762B7EF5E8644D13EB1A42A8D0FBAEEFAB1E07F7B34C64
                                                                                                                                                                                                                              SHA-512:CBA42B82A2D84872ABB45975852DB340E8DEAF3F9D965191B0E73B8186D1D2A42C7DD4F74EA1C740E9D0F363285D2E637AB71E51D8AD0EDF6FE7A993B53C8FC4
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L....}.e.....................L.......g............@.................................K.C.....................................t(..d.......p.............C.x........... ...8........................... ...@............................................text.............................. ..`.rdata.............................@..@.data...H....@....?..&..............@....rsrc...p.............B.............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\SuRnIHuWYWEWXFXLcVP2Or9Q.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):5128704
                                                                                                                                                                                                                              Entropy (8bit):7.955603913831852
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:98304:6eZ9klwlIGDH8gNN0/Y1pQtU4bizh9OjA+upZPdA5Jtfzq/sH0aN2CvV:6eZ9owNeZtU4FBuL1A5Lu/sH0g
                                                                                                                                                                                                                              MD5:A25CDF843E60F609B970AC9414170A7A
                                                                                                                                                                                                                              SHA1:9D0FEE8C64C58D674D383654A4391B8E41D994DC
                                                                                                                                                                                                                              SHA-256:109A993670756619DB430191F217236914602B1AAC6FE093E1B8B1887CC3D9F9
                                                                                                                                                                                                                              SHA-512:E4DC2979919C8ECFB2A09FD78446DB57483E74FF2E3DDCB498D0718590EF0E9021424D6656822921D41B648A36253E9275045B2E4931F94F00C474B73444C6FD
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......f.........."....'.....D........r........@.............................`.......TN...`...................................................f......P..........,............0..D............................r.(....,..@.............^..............................text............................... ..`.rdata..Fp..........................@..@.data...............................@....pdata.......P......................@..@_RDATA.......P......................@..@...N......`......................`..`...N... ..p5.....................`..h.vmp#.V7t....U..................... ..`.vmp#.VP.....^.....................@....vmp#.V<.M.. ^...M.................`..h.reloc..D....0........M.............@..@.rsrc........P.......&M.............@..@................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\0XytwVHS3WE9jtGuuRid6GiP.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Users\user\Pictures\0XytwVHS3WE9jtGuuRid6GiP.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):5388160
                                                                                                                                                                                                                              Entropy (8bit):6.884127351666352
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:98304:J0NFR6666666666666666666666666666666x666666666666666fwwwwwwwwwwo:aPMki6zio75L3pf3dedO4keCIwkoYbgI
                                                                                                                                                                                                                              MD5:CD54757EAFA70E59850F77982FAFCB49
                                                                                                                                                                                                                              SHA1:C339E58CD44295099CFFD1AB783FCC65A5A9913F
                                                                                                                                                                                                                              SHA-256:39D50F4716DAEF3C7B75E4DE57441390026036507E9B1676A927B85808BB526F
                                                                                                                                                                                                                              SHA-512:94B24A1E28CD7FE880C2CA6AA21DEFD92CA2B6B5000208A5F8528E4DED777647616D44818C42257C8C6C5F2B95BDE8C484DFE8AF5DFC0DBB198958F93E7D6D33
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...zL.f.........."......Z....M.....|*............@..........................`R.......R...@.....................................P........{L...........R..+... R..7..`...............................8q...............................................text....X.......Z.................. ..`.rdata.......p.......^..............@..@.data....4...P.......8..............@....tls.................V..............@....rsrc....{L......|L..X..............@..@.reloc...7... R..8....Q.............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\T2RIU3FpH6dczIGTG32vuvvE.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Users\user\Pictures\T2RIU3FpH6dczIGTG32vuvvE.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):5388160
                                                                                                                                                                                                                              Entropy (8bit):6.884126316660053
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:98304:90NFR6666666666666666666666666666666x666666666666666fwwwwwwwwwwk:WPMki6zio75L3pf3dedO4keCIwkoYbgE
                                                                                                                                                                                                                              MD5:EF199316DF30CB4E02F45F156EC63A9A
                                                                                                                                                                                                                              SHA1:1D01117469FE286CE64CD27DFCBF939DFC7E8F22
                                                                                                                                                                                                                              SHA-256:858F0951DC8F6A15014CE367AD4CD4274D93881AA5D0B101ED524389CD25BE3D
                                                                                                                                                                                                                              SHA-512:F7BACAE2D24E570911358EDE0B56CC0A94713A1CEBC47BBCB9D83AAD3B357F7CFE5494C0CF5BB2972542F469B9538BAE0F9100C3BBA918DE71040E9FED8C5A9E
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...zL.f.........."......Z....M.....|*............@..........................`R......\R...@.....................................P........{L...........R..+... R..7..`...............................8q...............................................text....X.......Z.................. ..`.rdata.......p.......^..............@..@.data....4...P.......8..............@....tls.................V..............@....rsrc....{L......|L..X..............@..@.reloc...7... R..8....Q.............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\kuRSiZPmKhbW1guMqYXCvrAu.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Users\user\Pictures\kuRSiZPmKhbW1guMqYXCvrAu.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):5388160
                                                                                                                                                                                                                              Entropy (8bit):6.884125378117049
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:98304:/0NFR6666666666666666666666666666666x666666666666666fwwwwwwwwwwy:MPMki6zio75L3pf3dedO4keCIwkoYbgS
                                                                                                                                                                                                                              MD5:B1D3A17EDD5DACC6B98BEC740C1B4A2F
                                                                                                                                                                                                                              SHA1:9E059C6CE6AC7E32D848B29026C34A5D0C1599F0
                                                                                                                                                                                                                              SHA-256:92A81D1CF0DADC90DEA8BD297EAA153A755B3B972D77D141E39C03F76C2D8B28
                                                                                                                                                                                                                              SHA-512:3F9914FE9C10AB719814BEC9625D2BF3F0A564F814FF6AFAC082BEB594D14831640BB2E59A3CA8B1E7F3E9AAB26AA4A416D25C11A752858202B02625995BD505
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...zL.f.........."......Z....M.....|*............@..........................`R.......S...@.....................................P........{L...........R..+... R..7..`...............................8q...............................................text....X.......Z.................. ..`.rdata.......p.......^..............@..@.data....4...P.......8..............@....tls.................V..............@....rsrc....{L......|L..X..............@..@.reloc...7... R..8....Q.............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\syLcQZGPHHUJ3M0wbg0XxQZf.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Users\user\Pictures\syLcQZGPHHUJ3M0wbg0XxQZf.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):5388160
                                                                                                                                                                                                                              Entropy (8bit):6.884124407997752
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:98304:k0NFR6666666666666666666666666666666x666666666666666fwwwwwwwwwww:lPMki6zio75L3pf3dedO4keCIwkoYbgQ
                                                                                                                                                                                                                              MD5:C2F0D0D1B405D1F1476B802BE5DD2ED3
                                                                                                                                                                                                                              SHA1:CFC0651E0B9000018D138442324FB2D4555075E7
                                                                                                                                                                                                                              SHA-256:36A67B04FA544E6C6E2F33A5A837050136ED30360AF0FC3F96868D14F717487E
                                                                                                                                                                                                                              SHA-512:5C930F51A072936B7817ABC2A896DD06961422709D2530C35330B6F79FD0926927AE90BA2F98B6F4CBB8237457473EAF3D5CD32E7943D44CEF2DE9AD366B9B6C
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...zL.f.........."......Z....M.....|*............@..........................`R.......R...@.....................................P........{L...........R..+... R..7..`...............................8q...............................................text....X.......Z.................. ..`.rdata.......p.......^..............@..@.data....4...P.......8..............@....tls.................V..............@....rsrc....{L......|L..X..............@..@.reloc...7... R..8....Q.............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\7zS2746.tmp\AppVShNotify.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Users\user\Pictures\wjaGPzkDQjpdcbjBR9AwSFKW.exe
                                                                                                                                                                                                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):226792
                                                                                                                                                                                                                              Entropy (8bit):5.789219071166457
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3072:w4aS0s8GplWsHkz1pTFaTUYLsf1J3pWGNU6ITLct9OEoYztX0Y:P0RsWsH81pJEQ33pWGNU6ITLuOEoC
                                                                                                                                                                                                                              MD5:F085259A7C14B5072658974B59FA787A
                                                                                                                                                                                                                              SHA1:2F0BE555543B3A2EF4742B8FA0D5E762C6593FE2
                                                                                                                                                                                                                              SHA-256:DC8300A3E3C8857E0A3E42CDB96C1636F8C1A5052A09B1ABE07A3CD410D875AA
                                                                                                                                                                                                                              SHA-512:BD70B48991491F6AC49E1B5101FF298F5333694DF76C77758FDF6139711FE1E3257F920BA4F8FFC2DC1CB8500E81D5901302A186E5BDC97EA7064CCD0C6C5A7F
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........b.P...P...P...Y...V.......[.......T.......O.......E...P...f.......J......Q......Q.......Q...RichP...........................PE..d..............."..........P.................@.............................`......M.....`.......... ...............................................0..X.... .......P...%...@..H...0...T....................u..(...@t..@............u..@............................text............................... ..`.rdata..d...........................@..@.data... ...........................@....pdata....... ......................@..@.rsrc...X....0....... ..............@..@.reloc..H....@... ...0..............@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\7zS2746.tmp\BackgroundTransferHost.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Users\user\Pictures\wjaGPzkDQjpdcbjBR9AwSFKW.exe
                                                                                                                                                                                                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):61440
                                                                                                                                                                                                                              Entropy (8bit):3.3799039172752763
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:384:lY81FFMhllotNxXAs5LUUUt610Gsp2YAeYgU5W0AgWLQE0g7qW2RPT/8rFeZmJhE:lY+LXx5UPt6OgesEz2a
                                                                                                                                                                                                                              MD5:777BBC2E4DBA510015F23789DA4BB304
                                                                                                                                                                                                                              SHA1:61B3B6EC7D7CEED71E0EFFC7B011111749E18F6A
                                                                                                                                                                                                                              SHA-256:09B6ECDFF76EAF9A7FF6BDDC8108F3424F1E35675AD4288ACD3176F54C4997CA
                                                                                                                                                                                                                              SHA-512:6368473A6352BE757F800A2BAAF1A91C8DE9712D51184B76E36AC64243844574172F97CAEAA2CDDCC0FB5B309E7369758BAA06533FF2C68832F4D149BCA9ABA2
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........A... ... ... ...Xg.. ...X... ...X.. ... ... ...X... ...X.. ...X... ...X... ...X... ..Rich. ..................PE..d.....Sv.........."......0.....................@..........................................`.......... ......................................HO..........PQ...p..X....................I..T............................B..@...........@C...............................text.... .......0.................. ..`.rdata.......@... ...@..............@..@.data........`.......`..............@....pdata..X....p.......p..............@..@.rsrc...PQ.......`..................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\7zS2746.tmp\BdeUISrv.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Users\user\Pictures\wjaGPzkDQjpdcbjBR9AwSFKW.exe
                                                                                                                                                                                                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):77824
                                                                                                                                                                                                                              Entropy (8bit):4.738058947787634
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:1536:YdxLrtJJNRvQvQ9ur+B/t3TPfcLC6nBEuNZyJFbx/kExUgwuo:WLvRvAr+dt3bfcLC6nBEuD4aExUgC
                                                                                                                                                                                                                              MD5:094970BBD30BBB9A9F7FF8F875D2354E
                                                                                                                                                                                                                              SHA1:44CBB90E305F89B5E90DA63060C0664287318C7F
                                                                                                                                                                                                                              SHA-256:5B3D1935F25B05A7406B9EABF95A009420AA49332BECDD0A0D2062A8B9D6E45B
                                                                                                                                                                                                                              SHA-512:32C174EAC22705850EF4E647C8A05AC5093244163A7A5D16B7730E8E1E4DF73F488030117FCDE1B77FFC3139164DADD39096B39CCE4DFEB4E15EA6F51CCF310E
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......."N..f/..f/..f/..oW..d/..-W..b/..-W..~/..-W..`/..-W..u/..f/.../..-W..o/..-Wo.g/..-W..g/..Richf/..........................PE..d.....y>..........".................0..........@.............................0......B_....`.......... ..........................................................d............ ..........T...........................p...@............................................text.............................. ..`.rdata..47.......@..................@..@.data...@...........................@....pdata..d...........................@..@.rsrc............ ..................@..@.reloc....... ....... ..............@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\7zS2746.tmp\CertEnrollCtrl.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Users\user\Pictures\wjaGPzkDQjpdcbjBR9AwSFKW.exe
                                                                                                                                                                                                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):65536
                                                                                                                                                                                                                              Entropy (8bit):4.241752372493363
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:1536:yX1QQ34YAnhH4aJUZySmC36W+Z+BPU1ZgfYHXaX:yyXYAnhHlJUZySmCKWW+BcHgfIXaX
                                                                                                                                                                                                                              MD5:0EEA0A4645FB9E13899AB0181293287E
                                                                                                                                                                                                                              SHA1:3F4D868B77FF4E7AD1E1D259FBEAD904FB5A86F2
                                                                                                                                                                                                                              SHA-256:29BFA90795346A2EA3EC30FC8D723AE128C7DBA3A1A30B14E8AF0199A13D0791
                                                                                                                                                                                                                              SHA-512:EA6A6E0BB086A333AC0B82D333F7BC61A23BCB22C9D085E3936F50C0E6CC36E254E122EA5476C592A4A8C1A1C9B76CD878DCBF3C271DA5E14C5F620C541701A1
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........jh..jh..jh..c....h..!...ih..!...rh..jh...i..!...gh..!...bh..!...Zh..!.u.kh..!...kh..Richjh..................PE..d.....;b.........."......`..........p..........@....................................s.....`.......... ..................................................H.......4...............<.......T............................~..@...........@................................text....T.......`.................. ..`.rdata...E...p...P...p..............@..@.data...............................@....pdata..4...........................@..@.rsrc...H...........................@..@.reloc..<...........................@..B................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\7zS2746.tmp\Install.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Users\user\Pictures\wjaGPzkDQjpdcbjBR9AwSFKW.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):7157248
                                                                                                                                                                                                                              Entropy (8bit):7.756166190918081
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:196608:UG0rMh5vMNSBl4rs5EiJlLMBiLPUGylg28X3:U5QSWmkEiJlLMY7UGU/8n
                                                                                                                                                                                                                              MD5:E77964E011D8880EAE95422769249CA4
                                                                                                                                                                                                                              SHA1:8E15D7C4B7812A1DA6C91738C7178ADF0FF3200F
                                                                                                                                                                                                                              SHA-256:F200984380D291051FC4B342641CD34E7560CADF4AF41B2E02B8778F14418F50
                                                                                                                                                                                                                              SHA-512:8FEB3DC4432EC0A87416CBC75110D59EFAF6504B4DE43090FC90286BD37F98FC0A5FB12878BB33AC2F6CD83252E8DFD67DD96871B4A224199C1F595D33D4CADE
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................R.......l.......m......zF...........b.h....b.l.....b.S....Rich...................PE..L......a..........................................@..........................P......m.m...@..........................................@...........................A.................................. .l.@............................................text...=........................... ..`.data............B`.................@....idata................l.............@..@.debug................l.............@....reloc...A.......B....l.............@..B.rsrc........@.......,m.............@..@........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\7zS2746.tmp\browserexport.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Users\user\Pictures\wjaGPzkDQjpdcbjBR9AwSFKW.exe
                                                                                                                                                                                                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):155648
                                                                                                                                                                                                                              Entropy (8bit):5.67309607555863
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3072:QV7/3zsK27yVjO+zMguhQIvM+PeaIiZNbPbMsGtRaylkQ3tG:SgKdjO+z/WQOM+W8bPbMsMbkQ3
                                                                                                                                                                                                                              MD5:8E4C26A02B8BA95CBC54E6215A283E52
                                                                                                                                                                                                                              SHA1:73C0A8707A1EA4AFF419323CDC4A5530CF4132A8
                                                                                                                                                                                                                              SHA-256:D892CF9EB8B03E451A9B9ED99DCF1B478A01F57FB467D8314CB4C5E8667826A5
                                                                                                                                                                                                                              SHA-512:1E971AC739FCF57B3F4EDB8A77FB664DF9275B57A9C7818B4F2D93C440F8FFA37598EAA76836E0BCFB268FF601C518BB5CA2AEEA26FEF4D41EE19DB50AAA700F
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......(...l..Bl..Bl..B...Cn..Be.yBR..B'..C`..B'..Ch..B'..CL..Bl..Be..B'..Ce..B'..Cz..B'..Bm..B'..Bm..B'..Cm..BRichl..B................PE..d.....k.........."......`...........".........@.............................`......^d....`.......... ...............................................@....... ..|............P..p.......T...................@u..(....t..@...........hu...............................text...|\.......`.................. ..`.rdata.......p.......p..............@..@.data... ...........................@....pdata..|.... ... ... ..............@..@.rsrc........@.......@..............@..@.reloc..p....P.......P..............@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\7zS2746.tmp\system.ini

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Users\user\Pictures\wjaGPzkDQjpdcbjBR9AwSFKW.exe
                                                                                                                                                                                                                              File Type:Windows SYSTEM.INI
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):206
                                                                                                                                                                                                                              Entropy (8bit):4.986195774943704
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:6:aQ44VvYv+WdH5rjJ30yf1fDB9fjf4sSE2iUPTen:F4YvC+AjJ30ypB1woIen
                                                                                                                                                                                                                              MD5:EE600165C40F493305A7EE244D75FE76
                                                                                                                                                                                                                              SHA1:911528DF3CB23863AF79E20D5E0B8964FF38AE95
                                                                                                                                                                                                                              SHA-256:1D9A44084D4E22C8940EA2E79461B868FDD3C0F01F17AEF490C148B73327D5BF
                                                                                                                                                                                                                              SHA-512:8D0B36550C1CE2DD304DE9EFB2A0C2524E2EEBB938E0167B7ACE71D215B1312EB12C69089B7500382A7210E04492A9DC6D5654DA1A7E481C600CC6B6E660BE26
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:; for 16-bit app support.[386Enh].woafont=dosapp.fon.EGA80WOA.FON=EGA80WOA.FON.EGA40WOA.FON=EGA40WOA.FON.CGA80WOA.FON=CGA80WOA.FON.CGA40WOA.FON=CGA40WOA.FON..[drivers].wave=mmdrv.dll.timer=timer.drv..[mci].

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\lIVrBSt.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\7zS2746.tmp\Install.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:modified
                                                                                                                                                                                                                              Size (bytes):7157248
                                                                                                                                                                                                                              Entropy (8bit):7.756166190918081
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:196608:UG0rMh5vMNSBl4rs5EiJlLMBiLPUGylg28X3:U5QSWmkEiJlLMY7UGU/8n
                                                                                                                                                                                                                              MD5:E77964E011D8880EAE95422769249CA4
                                                                                                                                                                                                                              SHA1:8E15D7C4B7812A1DA6C91738C7178ADF0FF3200F
                                                                                                                                                                                                                              SHA-256:F200984380D291051FC4B342641CD34E7560CADF4AF41B2E02B8778F14418F50
                                                                                                                                                                                                                              SHA-512:8FEB3DC4432EC0A87416CBC75110D59EFAF6504B4DE43090FC90286BD37F98FC0A5FB12878BB33AC2F6CD83252E8DFD67DD96871B4A224199C1F595D33D4CADE
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................R.......l.......m......zF...........b.h....b.l.....b.S....Rich...................PE..L......a..........................................@..........................P......m.m...@..........................................@...........................A.................................. .l.@............................................text...=........................... ..`.data............B`.................@....idata................l.............@..@.debug................l.............@....reloc...A.......B....l.............@..B.rsrc........@.......,m.............@..@........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\Opera_installer_2404180036016968100.dll

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Users\user\Pictures\T2RIU3FpH6dczIGTG32vuvvE.exe
                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):4834208
                                                                                                                                                                                                                              Entropy (8bit):6.8789283673838595
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:98304:e6666666666666666666666666666666x666666666666666fwwwwwwwwwwwwww4:oPMki6zio75L3pf3dedO4keCIwkoYbgI
                                                                                                                                                                                                                              MD5:0415CB7BE0361A74A039D5F31E72FA65
                                                                                                                                                                                                                              SHA1:46AE154436C8C059EE75CBC6A18CCDA96BB2021D
                                                                                                                                                                                                                              SHA-256:BB38A8806705980EE3E9181C099E8D5C425E6C9505A88E5AF538CA6A48951798
                                                                                                                                                                                                                              SHA-512:F71C2B9E1559AA4EB2D72F852EF9807C781D4A7B96B8E0C2C53B895885319146BD43AA6E4223D43159F3D40BC60704206404DC034500E47FCA0A94E53B60239E
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...zL.f.........."!......3..|.......L*......................................PK.....32J...@A......................... ;.m....!;......`=..4............I..)....I.D...\.:.......................:......73.............D,;.8.....;.`....................text...x.3.......3................. ..`.rdata...^...03..`....3.............@..@.data.........;..@...|;.............@....rodata......0=.......;............. ..`.tls....]....@=.......;.............@...CPADinfo0....P=.......;.............@....rsrc....4...`=..6....;.............@..@.reloc..D.....I.......G.............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\Opera_installer_2404180036143665496.dll

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Users\user\Pictures\syLcQZGPHHUJ3M0wbg0XxQZf.exe
                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):4834208
                                                                                                                                                                                                                              Entropy (8bit):6.8789283673838595
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:98304:e6666666666666666666666666666666x666666666666666fwwwwwwwwwwwwww4:oPMki6zio75L3pf3dedO4keCIwkoYbgI
                                                                                                                                                                                                                              MD5:0415CB7BE0361A74A039D5F31E72FA65
                                                                                                                                                                                                                              SHA1:46AE154436C8C059EE75CBC6A18CCDA96BB2021D
                                                                                                                                                                                                                              SHA-256:BB38A8806705980EE3E9181C099E8D5C425E6C9505A88E5AF538CA6A48951798
                                                                                                                                                                                                                              SHA-512:F71C2B9E1559AA4EB2D72F852EF9807C781D4A7B96B8E0C2C53B895885319146BD43AA6E4223D43159F3D40BC60704206404DC034500E47FCA0A94E53B60239E
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...zL.f.........."!......3..|.......L*......................................PK.....32J...@A......................... ;.m....!;......`=..4............I..)....I.D...\.:.......................:......73.............D,;.8.....;.`....................text...x.3.......3................. ..`.rdata...^...03..`....3.............@..@.data.........;..@...|;.............@....rodata......0=.......;............. ..`.tls....]....@=.......;.............@...CPADinfo0....P=.......;.............@....rsrc....4...`=..6....;.............@..@.reloc..D.....I.......G.............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\Opera_installer_2404180036143868168.dll

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Users\user\Pictures\T2RIU3FpH6dczIGTG32vuvvE.exe
                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):4834208
                                                                                                                                                                                                                              Entropy (8bit):6.8789283673838595
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:98304:e6666666666666666666666666666666x666666666666666fwwwwwwwwwwwwww4:oPMki6zio75L3pf3dedO4keCIwkoYbgI
                                                                                                                                                                                                                              MD5:0415CB7BE0361A74A039D5F31E72FA65
                                                                                                                                                                                                                              SHA1:46AE154436C8C059EE75CBC6A18CCDA96BB2021D
                                                                                                                                                                                                                              SHA-256:BB38A8806705980EE3E9181C099E8D5C425E6C9505A88E5AF538CA6A48951798
                                                                                                                                                                                                                              SHA-512:F71C2B9E1559AA4EB2D72F852EF9807C781D4A7B96B8E0C2C53B895885319146BD43AA6E4223D43159F3D40BC60704206404DC034500E47FCA0A94E53B60239E
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...zL.f.........."!......3..|.......L*......................................PK.....32J...@A......................... ;.m....!;......`=..4............I..)....I.D...\.:.......................:......73.............D,;.8.....;.`....................text...x.3.......3................. ..`.rdata...^...03..`....3.............@..@.data.........;..@...|;.............@....rodata......0=.......;............. ..`.tls....]....@=.......;.............@...CPADinfo0....P=.......;.............@....rsrc....4...`=..6....;.............@..@.reloc..D.....I.......G.............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\Opera_installer_2404180036199797216.dll

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Users\user\Pictures\0XytwVHS3WE9jtGuuRid6GiP.exe
                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):4834208
                                                                                                                                                                                                                              Entropy (8bit):6.8789283673838595
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:98304:e6666666666666666666666666666666x666666666666666fwwwwwwwwwwwwww4:oPMki6zio75L3pf3dedO4keCIwkoYbgI
                                                                                                                                                                                                                              MD5:0415CB7BE0361A74A039D5F31E72FA65
                                                                                                                                                                                                                              SHA1:46AE154436C8C059EE75CBC6A18CCDA96BB2021D
                                                                                                                                                                                                                              SHA-256:BB38A8806705980EE3E9181C099E8D5C425E6C9505A88E5AF538CA6A48951798
                                                                                                                                                                                                                              SHA-512:F71C2B9E1559AA4EB2D72F852EF9807C781D4A7B96B8E0C2C53B895885319146BD43AA6E4223D43159F3D40BC60704206404DC034500E47FCA0A94E53B60239E
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...zL.f.........."!......3..|.......L*......................................PK.....32J...@A......................... ;.m....!;......`=..4............I..)....I.D...\.:.......................:......73.............D,;.8.....;.`....................text...x.3.......3................. ..`.rdata...^...03..`....3.............@..@.data.........;..@...|;.............@....rodata......0=.......;............. ..`.tls....]....@=.......;.............@...CPADinfo0....P=.......;.............@....rsrc....4...`=..6....;.............@..@.reloc..D.....I.......G.............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\Opera_installer_2404180036226544476.dll

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Users\user\Pictures\0XytwVHS3WE9jtGuuRid6GiP.exe
                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):4834208
                                                                                                                                                                                                                              Entropy (8bit):6.8789283673838595
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:98304:e6666666666666666666666666666666x666666666666666fwwwwwwwwwwwwww4:oPMki6zio75L3pf3dedO4keCIwkoYbgI
                                                                                                                                                                                                                              MD5:0415CB7BE0361A74A039D5F31E72FA65
                                                                                                                                                                                                                              SHA1:46AE154436C8C059EE75CBC6A18CCDA96BB2021D
                                                                                                                                                                                                                              SHA-256:BB38A8806705980EE3E9181C099E8D5C425E6C9505A88E5AF538CA6A48951798
                                                                                                                                                                                                                              SHA-512:F71C2B9E1559AA4EB2D72F852EF9807C781D4A7B96B8E0C2C53B895885319146BD43AA6E4223D43159F3D40BC60704206404DC034500E47FCA0A94E53B60239E
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...zL.f.........."!......3..|.......L*......................................PK.....32J...@A......................... ;.m....!;......`=..4............I..)....I.D...\.:.......................:......73.............D,;.8.....;.`....................text...x.3.......3................. ..`.rdata...^...03..`....3.............@..@.data.........;..@...|;.............@....rodata......0=.......;............. ..`.tls....]....@=.......;.............@...CPADinfo0....P=.......;.............@....rsrc....4...`=..6....;.............@..@.reloc..D.....I.......G.............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\Opera_installer_2404180036248045740.dll

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\T2RIU3FpH6dczIGTG32vuvvE.exe
                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):4834208
                                                                                                                                                                                                                              Entropy (8bit):6.8789283673838595
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:98304:e6666666666666666666666666666666x666666666666666fwwwwwwwwwwwwww4:oPMki6zio75L3pf3dedO4keCIwkoYbgI
                                                                                                                                                                                                                              MD5:0415CB7BE0361A74A039D5F31E72FA65
                                                                                                                                                                                                                              SHA1:46AE154436C8C059EE75CBC6A18CCDA96BB2021D
                                                                                                                                                                                                                              SHA-256:BB38A8806705980EE3E9181C099E8D5C425E6C9505A88E5AF538CA6A48951798
                                                                                                                                                                                                                              SHA-512:F71C2B9E1559AA4EB2D72F852EF9807C781D4A7B96B8E0C2C53B895885319146BD43AA6E4223D43159F3D40BC60704206404DC034500E47FCA0A94E53B60239E
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...zL.f.........."!......3..|.......L*......................................PK.....32J...@A......................... ;.m....!;......`=..4............I..)....I.D...\.:.......................:......73.............D,;.8.....;.`....................text...x.3.......3................. ..`.rdata...^...03..`....3.............@..@.data.........;..@...|;.............@....rodata......0=.......;............. ..`.tls....]....@=.......;.............@...CPADinfo0....P=.......;.............@....rsrc....4...`=..6....;.............@..@.reloc..D.....I.......G.............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\Opera_installer_2404180036332806404.dll

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Users\user\Pictures\kuRSiZPmKhbW1guMqYXCvrAu.exe
                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):4834208
                                                                                                                                                                                                                              Entropy (8bit):6.8789283673838595
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:98304:e6666666666666666666666666666666x666666666666666fwwwwwwwwwwwwww4:oPMki6zio75L3pf3dedO4keCIwkoYbgI
                                                                                                                                                                                                                              MD5:0415CB7BE0361A74A039D5F31E72FA65
                                                                                                                                                                                                                              SHA1:46AE154436C8C059EE75CBC6A18CCDA96BB2021D
                                                                                                                                                                                                                              SHA-256:BB38A8806705980EE3E9181C099E8D5C425E6C9505A88E5AF538CA6A48951798
                                                                                                                                                                                                                              SHA-512:F71C2B9E1559AA4EB2D72F852EF9807C781D4A7B96B8E0C2C53B895885319146BD43AA6E4223D43159F3D40BC60704206404DC034500E47FCA0A94E53B60239E
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...zL.f.........."!......3..|.......L*......................................PK.....32J...@A......................... ;.m....!;......`=..4............I..)....I.D...\.:.......................:......73.............D,;.8.....;.`....................text...x.3.......3................. ..`.rdata...^...03..`....3.............@..@.data.........;..@...|;.............@....rodata......0=.......;............. ..`.tls....]....@=.......;.............@...CPADinfo0....P=.......;.............@....rsrc....4...`=..6....;.............@..@.reloc..D.....I.......G.............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\Opera_installer_2404180036333922764.dll

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\0XytwVHS3WE9jtGuuRid6GiP.exe
                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):4834208
                                                                                                                                                                                                                              Entropy (8bit):6.8789283673838595
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:98304:e6666666666666666666666666666666x666666666666666fwwwwwwwwwwwwww4:oPMki6zio75L3pf3dedO4keCIwkoYbgI
                                                                                                                                                                                                                              MD5:0415CB7BE0361A74A039D5F31E72FA65
                                                                                                                                                                                                                              SHA1:46AE154436C8C059EE75CBC6A18CCDA96BB2021D
                                                                                                                                                                                                                              SHA-256:BB38A8806705980EE3E9181C099E8D5C425E6C9505A88E5AF538CA6A48951798
                                                                                                                                                                                                                              SHA-512:F71C2B9E1559AA4EB2D72F852EF9807C781D4A7B96B8E0C2C53B895885319146BD43AA6E4223D43159F3D40BC60704206404DC034500E47FCA0A94E53B60239E
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...zL.f.........."!......3..|.......L*......................................PK.....32J...@A......................... ;.m....!;......`=..4............I..)....I.D...\.:.......................:......73.............D,;.8.....;.`....................text...x.3.......3................. ..`.rdata...^...03..`....3.............@..@.data.........;..@...|;.............@....rodata......0=.......;............. ..`.tls....]....@=.......;.............@...CPADinfo0....P=.......;.............@....rsrc....4...`=..6....;.............@..@.reloc..D.....I.......G.............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\Opera_installer_2404180036337438040.dll

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Users\user\Pictures\syLcQZGPHHUJ3M0wbg0XxQZf.exe
                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):4834208
                                                                                                                                                                                                                              Entropy (8bit):6.8789283673838595
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:98304:e6666666666666666666666666666666x666666666666666fwwwwwwwwwwwwww4:oPMki6zio75L3pf3dedO4keCIwkoYbgI
                                                                                                                                                                                                                              MD5:0415CB7BE0361A74A039D5F31E72FA65
                                                                                                                                                                                                                              SHA1:46AE154436C8C059EE75CBC6A18CCDA96BB2021D
                                                                                                                                                                                                                              SHA-256:BB38A8806705980EE3E9181C099E8D5C425E6C9505A88E5AF538CA6A48951798
                                                                                                                                                                                                                              SHA-512:F71C2B9E1559AA4EB2D72F852EF9807C781D4A7B96B8E0C2C53B895885319146BD43AA6E4223D43159F3D40BC60704206404DC034500E47FCA0A94E53B60239E
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...zL.f.........."!......3..|.......L*......................................PK.....32J...@A......................... ;.m....!;......`=..4............I..)....I.D...\.:.......................:......73.............D,;.8.....;.`....................text...x.3.......3................. ..`.rdata...^...03..`....3.............@..@.data.........;..@...|;.............@....rodata......0=.......;............. ..`.tls....]....@=.......;.............@...CPADinfo0....P=.......;.............@....rsrc....4...`=..6....;.............@..@.reloc..D.....I.......G.............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kbqdpqh2.ayj.ps1

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):60
                                                                                                                                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lx4u5kb0.4sm.psm1

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):60
                                                                                                                                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pfx1wdjg.dd1.ps1

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):60
                                                                                                                                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ptzfit01.psd.psm1

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):60
                                                                                                                                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\serversystemNCQ_x64.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):11477272
                                                                                                                                                                                                                              Entropy (8bit):7.98890415113179
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:196608:QfUT52JXoXQWP2Eq/XJAutPwUON8fTqKYlrQHM9/y46DXKDqWDnbO:wM+0Qkc/XekTqKCeM9/z6D5eO
                                                                                                                                                                                                                              MD5:E8295A7EF2D88AA3A16361A5E53FEB3C
                                                                                                                                                                                                                              SHA1:B07A32538E0540A467203F343BB64E6536D36730
                                                                                                                                                                                                                              SHA-256:18EC7B686D8FF469E63B2568210F5886E9E5512A651137E7FB5E8009A41A54BE
                                                                                                                                                                                                                              SHA-512:FC4DA2E0F157012FA88F42D7855405E2B078A61548500501CA509937FEA78A3024B14A36EA59207A1D2C0A46BE54CA3919BE578A01D6BD93725B87B3151D6157
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A!.S.@...@...@......@.....y@......@..."|..@..."{..@..."z.#@...8...@...8...@...@~.PA...#z.N@...#...@...@...@...#}..@..Rich.@..................PE..L......Z.........................................@......................................@.............................................V...............h.......*>..Pv..T....................v......0p..@...................4........................text...7........................... ..`.rdata..`...........................@..@.data...0...........................@....wixburn8...........................@..@.rsrc...V...........................@..@.reloc...=.......>...P..............@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\u224.0.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):316928
                                                                                                                                                                                                                              Entropy (8bit):6.5384031016599335
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3072:VXhcLiw/LJbz7zkSfF5FKK7+nP2BlXE5AkSxol8hnT6AUgC5u0qQARvEp5n4CTTm:7WLJTgGF/KK71D6M+ATIkJva54CTT
                                                                                                                                                                                                                              MD5:A806C9ADE161DF230774CB3E9576FC2C
                                                                                                                                                                                                                              SHA1:EE89218471387B22612F6C9D40F325403E9D0022
                                                                                                                                                                                                                              SHA-256:D68E57DCF44133441298CF23CBAF3AF9AFC4B2A95A1875928AFF74571B49B713
                                                                                                                                                                                                                              SHA-512:BEE629EFBCCCB379EDD6876C630CD52EE3ECC446CB39CF9A1B6B602B8CB92383427E3EEAFBE9ABF47DE87C09E5FA9B909F7FFAA3E3DE3720121D2E0AB3AC40B6
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L...p .c.............................g............@........................................................................t(..d.......p........................... ...8........................... ...@............................................text.............................. ..`.rdata.............................@..@.data...hv...@.......&..............@....rsrc...p...........................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\u224.1.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):4866096
                                                                                                                                                                                                                              Entropy (8bit):6.542818068158205
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:49152:1ZRCckM8wwGbtBiRFWSGqCW4FL5wslsAEL1ksS2NHsF3TjZ1I6bqmHC0Jg:1ZRCwrb64XwWsAwFaFXxg
                                                                                                                                                                                                                              MD5:397926927BCA55BE4A77839B1C44DE6E
                                                                                                                                                                                                                              SHA1:E10F3434EF3021C399DBBA047832F02B3C898DBD
                                                                                                                                                                                                                              SHA-256:4F07E1095CC915B2D46EB149D1C3BE14F3F4B4BD2742517265947FD23BDCA5A7
                                                                                                                                                                                                                              SHA-512:CF54136B977FC8AF7E8746D78676D0D464362A8CFA2213E392487003B5034562EE802E6911760B98A847BDDD36AD664F32D849AF84D7E208D4648BD97A2FA954
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Yara Hits:
                                                                                                                                                                                                                              • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\Temp\u224.1.exe, Author: Joe Security
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....X..................5..P......`.5.......5...@...........................J.....`.J..........@............................7..N....<...............J.0(...08.............................. 8......................7.......8......................text...h.5.......5................. ..`.itext..<=....5..>....5............. ..`.data....V....5..X....5.............@....bss.....m...@7...... 7..................idata...N....7..P... 7.............@....didata.......8......p7.............@....tls....@.....8......z7..................rdata....... 8......z7.............@..@.reloc.......08......|7.............@..B.rsrc.........<.......<.............@..@..............J.......J.............@..@........................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\u63c.0.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Users\user\Pictures\SU1be6oqYDorLkUc1l6IPPFB.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):316928
                                                                                                                                                                                                                              Entropy (8bit):6.5384031016599335
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3072:VXhcLiw/LJbz7zkSfF5FKK7+nP2BlXE5AkSxol8hnT6AUgC5u0qQARvEp5n4CTTm:7WLJTgGF/KK71D6M+ATIkJva54CTT
                                                                                                                                                                                                                              MD5:A806C9ADE161DF230774CB3E9576FC2C
                                                                                                                                                                                                                              SHA1:EE89218471387B22612F6C9D40F325403E9D0022
                                                                                                                                                                                                                              SHA-256:D68E57DCF44133441298CF23CBAF3AF9AFC4B2A95A1875928AFF74571B49B713
                                                                                                                                                                                                                              SHA-512:BEE629EFBCCCB379EDD6876C630CD52EE3ECC446CB39CF9A1B6B602B8CB92383427E3EEAFBE9ABF47DE87C09E5FA9B909F7FFAA3E3DE3720121D2E0AB3AC40B6
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L...p .c.............................g............@........................................................................t(..d.......p........................... ...8........................... ...@............................................text.............................. ..`.rdata.............................@..@.data...hv...@.......&..............@....rsrc...p...........................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\u63s.0.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):316928
                                                                                                                                                                                                                              Entropy (8bit):6.5384031016599335
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3072:VXhcLiw/LJbz7zkSfF5FKK7+nP2BlXE5AkSxol8hnT6AUgC5u0qQARvEp5n4CTTm:7WLJTgGF/KK71D6M+ATIkJva54CTT
                                                                                                                                                                                                                              MD5:A806C9ADE161DF230774CB3E9576FC2C
                                                                                                                                                                                                                              SHA1:EE89218471387B22612F6C9D40F325403E9D0022
                                                                                                                                                                                                                              SHA-256:D68E57DCF44133441298CF23CBAF3AF9AFC4B2A95A1875928AFF74571B49B713
                                                                                                                                                                                                                              SHA-512:BEE629EFBCCCB379EDD6876C630CD52EE3ECC446CB39CF9A1B6B602B8CB92383427E3EEAFBE9ABF47DE87C09E5FA9B909F7FFAA3E3DE3720121D2E0AB3AC40B6
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L...p .c.............................g............@........................................................................t(..d.......p........................... ...8........................... ...@............................................text.............................. ..`.rdata.............................@..@.data...hv...@.......&..............@....rsrc...p...........................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\u63s.1.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):4866096
                                                                                                                                                                                                                              Entropy (8bit):6.542818068158205
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:49152:1ZRCckM8wwGbtBiRFWSGqCW4FL5wslsAEL1ksS2NHsF3TjZ1I6bqmHC0Jg:1ZRCwrb64XwWsAwFaFXxg
                                                                                                                                                                                                                              MD5:397926927BCA55BE4A77839B1C44DE6E
                                                                                                                                                                                                                              SHA1:E10F3434EF3021C399DBBA047832F02B3C898DBD
                                                                                                                                                                                                                              SHA-256:4F07E1095CC915B2D46EB149D1C3BE14F3F4B4BD2742517265947FD23BDCA5A7
                                                                                                                                                                                                                              SHA-512:CF54136B977FC8AF7E8746D78676D0D464362A8CFA2213E392487003B5034562EE802E6911760B98A847BDDD36AD664F32D849AF84D7E208D4648BD97A2FA954
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Yara Hits:
                                                                                                                                                                                                                              • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\Temp\u63s.1.exe, Author: Joe Security
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....X..................5..P......`.5.......5...@...........................J.....`.J..........@............................7..N....<...............J.0(...08.............................. 8......................7.......8......................text...h.5.......5................. ..`.itext..<=....5..>....5............. ..`.data....V....5..X....5.............@....bss.....m...@7...... 7..................idata...N....7..P... 7.............@....didata.......8......p7.............@....tls....@.....8......z7..................rdata....... 8......z7.............@..@.reloc.......08......|7.............@..B.rsrc.........<.......<.............@..@..............J.......J.............@..@........................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Tp59u6n2uhrgw2uPRJT1mo4o.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):462337
                                                                                                                                                                                                                              Entropy (8bit):7.165289332124068
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:6144:52bjG4z4HGToSUG/Xfl+jE2TgEVGuIrsvi6WTQo4PWcvhN/EdLTRLf:5kjGgToSUGP0hxGuPv+MaLlLf
                                                                                                                                                                                                                              MD5:3A4982B7D2352FB3089C01B9F33C25EB
                                                                                                                                                                                                                              SHA1:A87055A316E5E1227C237E0A44A941F98F583419
                                                                                                                                                                                                                              SHA-256:7A0BC7FD96BE7CDA19119D1FEEFA81196225786D98FDDD5E1AB5103C21F6CBC5
                                                                                                                                                                                                                              SHA-512:048675D6AA6F99B6EA6E5577D024A7B314D522C81BA867F2E2013D1839DB0D6C0947A1C67E2E5B905B577EDEB153C16D9ECFF6D386E96D59C4836BE3BE967509
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L......c.....................P.......g............@................................N........................................(..d.................................. ...8........................... ...@............................................text.............................. ..`.rdata.............................@..@.data.......@.......&..............@....rsrc..............................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\TxcN817CnpQUUQpmxVzV0mFT.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):4396408
                                                                                                                                                                                                                              Entropy (8bit):7.971773908633874
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:98304:KkZ2HRjDxUqNRSWw/fdG0ya8lhbNKCN+OMuHRmn++CozeYuDm:LZ2x3CqNcHdGTLNp+F+8elDm
                                                                                                                                                                                                                              MD5:281F44C8C6F0CFBC293E1FDB8B3EE782
                                                                                                                                                                                                                              SHA1:CB1ABAA337D77C1B8AE1502AE0C8B47027EE7FA7
                                                                                                                                                                                                                              SHA-256:72A115F25006EEF0B5762B7EF5E8644D13EB1A42A8D0FBAEEFAB1E07F7B34C64
                                                                                                                                                                                                                              SHA-512:CBA42B82A2D84872ABB45975852DB340E8DEAF3F9D965191B0E73B8186D1D2A42C7DD4F74EA1C740E9D0F363285D2E637AB71E51D8AD0EDF6FE7A993B53C8FC4
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L....}.e.....................L.......g............@.................................K.C.....................................t(..d.......p.............C.x........... ...8........................... ...@............................................text.............................. ..`.rdata.............................@..@.data...H....@....?..&..............@....rsrc...p.............B.............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\WIPtBriceCKAWgIcBS0bein0.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):4396408
                                                                                                                                                                                                                              Entropy (8bit):7.971773908633874
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:98304:KkZ2HRjDxUqNRSWw/fdG0ya8lhbNKCN+OMuHRmn++CozeYuDm:LZ2x3CqNcHdGTLNp+F+8elDm
                                                                                                                                                                                                                              MD5:281F44C8C6F0CFBC293E1FDB8B3EE782
                                                                                                                                                                                                                              SHA1:CB1ABAA337D77C1B8AE1502AE0C8B47027EE7FA7
                                                                                                                                                                                                                              SHA-256:72A115F25006EEF0B5762B7EF5E8644D13EB1A42A8D0FBAEEFAB1E07F7B34C64
                                                                                                                                                                                                                              SHA-512:CBA42B82A2D84872ABB45975852DB340E8DEAF3F9D965191B0E73B8186D1D2A42C7DD4F74EA1C740E9D0F363285D2E637AB71E51D8AD0EDF6FE7A993B53C8FC4
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L....}.e.....................L.......g............@.................................K.C.....................................t(..d.......p.............C.x........... ...8........................... ...@............................................text.............................. ..`.rdata.............................@..@.data...H....@....?..&..............@....rsrc...p.............B.............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\YGTS10whU5xLzk2bVxVWnmYS.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):7446
                                                                                                                                                                                                                              Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                              MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                              SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                              SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                              SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\YZSfYHwWFKrX6Pjkpe42m3a3.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):7446
                                                                                                                                                                                                                              Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                              MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                              SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                              SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                              SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Z53Wf0X0IoS1KV8zvVeoh9Jq.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):5388160
                                                                                                                                                                                                                              Entropy (8bit):6.884124407997752
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:98304:k0NFR6666666666666666666666666666666x666666666666666fwwwwwwwwwww:lPMki6zio75L3pf3dedO4keCIwkoYbgQ
                                                                                                                                                                                                                              MD5:C2F0D0D1B405D1F1476B802BE5DD2ED3
                                                                                                                                                                                                                              SHA1:CFC0651E0B9000018D138442324FB2D4555075E7
                                                                                                                                                                                                                              SHA-256:36A67B04FA544E6C6E2F33A5A837050136ED30360AF0FC3F96868D14F717487E
                                                                                                                                                                                                                              SHA-512:5C930F51A072936B7817ABC2A896DD06961422709D2530C35330B6F79FD0926927AE90BA2F98B6F4CBB8237457473EAF3D5CD32E7943D44CEF2DE9AD366B9B6C
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...zL.f.........."......Z....M.....|*............@..........................`R.......R...@.....................................P........{L...........R..+... R..7..`...............................8q...............................................text....X.......Z.................. ..`.rdata.......p.......^..............@..@.data....4...P.......8..............@....tls.................V..............@....rsrc....{L......|L..X..............@..@.reloc...7... R..8....Q.............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\a84xxA52gOFQbQH4hbzYi5Xz.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):5128704
                                                                                                                                                                                                                              Entropy (8bit):7.955603913831852
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:98304:6eZ9klwlIGDH8gNN0/Y1pQtU4bizh9OjA+upZPdA5Jtfzq/sH0aN2CvV:6eZ9owNeZtU4FBuL1A5Lu/sH0g
                                                                                                                                                                                                                              MD5:A25CDF843E60F609B970AC9414170A7A
                                                                                                                                                                                                                              SHA1:9D0FEE8C64C58D674D383654A4391B8E41D994DC
                                                                                                                                                                                                                              SHA-256:109A993670756619DB430191F217236914602B1AAC6FE093E1B8B1887CC3D9F9
                                                                                                                                                                                                                              SHA-512:E4DC2979919C8ECFB2A09FD78446DB57483E74FF2E3DDCB498D0718590EF0E9021424D6656822921D41B648A36253E9275045B2E4931F94F00C474B73444C6FD
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......f.........."....'.....D........r........@.............................`.......TN...`...................................................f......P..........,............0..D............................r.(....,..@.............^..............................text............................... ..`.rdata..Fp..........................@..@.data...............................@....pdata.......P......................@..@_RDATA.......P......................@..@...N......`......................`..`...N... ..p5.....................`..h.vmp#.V7t....U..................... ..`.vmp#.VP.....^.....................@....vmp#.V<.M.. ^...M.................`..h.reloc..D....0........M.............@..@.rsrc........P.......&M.............@..@................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\cOM8IUNCP0DFnISRQRmA27gl.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):4396408
                                                                                                                                                                                                                              Entropy (8bit):7.971773908633874
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:98304:KkZ2HRjDxUqNRSWw/fdG0ya8lhbNKCN+OMuHRmn++CozeYuDm:LZ2x3CqNcHdGTLNp+F+8elDm
                                                                                                                                                                                                                              MD5:281F44C8C6F0CFBC293E1FDB8B3EE782
                                                                                                                                                                                                                              SHA1:CB1ABAA337D77C1B8AE1502AE0C8B47027EE7FA7
                                                                                                                                                                                                                              SHA-256:72A115F25006EEF0B5762B7EF5E8644D13EB1A42A8D0FBAEEFAB1E07F7B34C64
                                                                                                                                                                                                                              SHA-512:CBA42B82A2D84872ABB45975852DB340E8DEAF3F9D965191B0E73B8186D1D2A42C7DD4F74EA1C740E9D0F363285D2E637AB71E51D8AD0EDF6FE7A993B53C8FC4
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L....}.e.....................L.......g............@.................................K.C.....................................t(..d.......p.............C.x........... ...8........................... ...@............................................text.............................. ..`.rdata.............................@..@.data...H....@....?..&..............@....rsrc...p.............B.............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\csCwmOCWNE9UELQ4txTVhw4w.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):4396408
                                                                                                                                                                                                                              Entropy (8bit):7.971773908633874
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:98304:KkZ2HRjDxUqNRSWw/fdG0ya8lhbNKCN+OMuHRmn++CozeYuDm:LZ2x3CqNcHdGTLNp+F+8elDm
                                                                                                                                                                                                                              MD5:281F44C8C6F0CFBC293E1FDB8B3EE782
                                                                                                                                                                                                                              SHA1:CB1ABAA337D77C1B8AE1502AE0C8B47027EE7FA7
                                                                                                                                                                                                                              SHA-256:72A115F25006EEF0B5762B7EF5E8644D13EB1A42A8D0FBAEEFAB1E07F7B34C64
                                                                                                                                                                                                                              SHA-512:CBA42B82A2D84872ABB45975852DB340E8DEAF3F9D965191B0E73B8186D1D2A42C7DD4F74EA1C740E9D0F363285D2E637AB71E51D8AD0EDF6FE7A993B53C8FC4
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L....}.e.....................L.......g............@.................................K.C.....................................t(..d.......p.............C.x........... ...8........................... ...@............................................text.............................. ..`.rdata.............................@..@.data...H....@....?..&..............@....rsrc...p.............B.............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\dIzcszODhP85SLHp5gDwads1.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):5128704
                                                                                                                                                                                                                              Entropy (8bit):7.955603913831852
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:98304:6eZ9klwlIGDH8gNN0/Y1pQtU4bizh9OjA+upZPdA5Jtfzq/sH0aN2CvV:6eZ9owNeZtU4FBuL1A5Lu/sH0g
                                                                                                                                                                                                                              MD5:A25CDF843E60F609B970AC9414170A7A
                                                                                                                                                                                                                              SHA1:9D0FEE8C64C58D674D383654A4391B8E41D994DC
                                                                                                                                                                                                                              SHA-256:109A993670756619DB430191F217236914602B1AAC6FE093E1B8B1887CC3D9F9
                                                                                                                                                                                                                              SHA-512:E4DC2979919C8ECFB2A09FD78446DB57483E74FF2E3DDCB498D0718590EF0E9021424D6656822921D41B648A36253E9275045B2E4931F94F00C474B73444C6FD
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......f.........."....'.....D........r........@.............................`.......TN...`...................................................f......P..........,............0..D............................r.(....,..@.............^..............................text............................... ..`.rdata..Fp..........................@..@.data...............................@....pdata.......P......................@..@_RDATA.......P......................@..@...N......`......................`..`...N... ..p5.....................`..h.vmp#.V7t....U..................... ..`.vmp#.VP.....^.....................@....vmp#.V<.M.. ^...M.................`..h.reloc..D....0........M.............@..@.rsrc........P.......&M.............@..@................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\dYzlQyYiVhnqA3GhRDFvHDg1.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):462337
                                                                                                                                                                                                                              Entropy (8bit):7.165289332124068
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:6144:52bjG4z4HGToSUG/Xfl+jE2TgEVGuIrsvi6WTQo4PWcvhN/EdLTRLf:5kjGgToSUGP0hxGuPv+MaLlLf
                                                                                                                                                                                                                              MD5:3A4982B7D2352FB3089C01B9F33C25EB
                                                                                                                                                                                                                              SHA1:A87055A316E5E1227C237E0A44A941F98F583419
                                                                                                                                                                                                                              SHA-256:7A0BC7FD96BE7CDA19119D1FEEFA81196225786D98FDDD5E1AB5103C21F6CBC5
                                                                                                                                                                                                                              SHA-512:048675D6AA6F99B6EA6E5577D024A7B314D522C81BA867F2E2013D1839DB0D6C0947A1C67E2E5B905B577EDEB153C16D9ECFF6D386E96D59C4836BE3BE967509
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L......c.....................P.......g............@................................N........................................(..d.................................. ...8........................... ...@............................................text.............................. ..`.rdata.............................@..@.data.......@.......&..............@....rsrc..............................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\f0h4XS72dTppZnfmwBjhUBEA.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):4396408
                                                                                                                                                                                                                              Entropy (8bit):7.971773908633874
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:98304:KkZ2HRjDxUqNRSWw/fdG0ya8lhbNKCN+OMuHRmn++CozeYuDm:LZ2x3CqNcHdGTLNp+F+8elDm
                                                                                                                                                                                                                              MD5:281F44C8C6F0CFBC293E1FDB8B3EE782
                                                                                                                                                                                                                              SHA1:CB1ABAA337D77C1B8AE1502AE0C8B47027EE7FA7
                                                                                                                                                                                                                              SHA-256:72A115F25006EEF0B5762B7EF5E8644D13EB1A42A8D0FBAEEFAB1E07F7B34C64
                                                                                                                                                                                                                              SHA-512:CBA42B82A2D84872ABB45975852DB340E8DEAF3F9D965191B0E73B8186D1D2A42C7DD4F74EA1C740E9D0F363285D2E637AB71E51D8AD0EDF6FE7A993B53C8FC4
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L....}.e.....................L.......g............@.................................K.C.....................................t(..d.......p.............C.x........... ...8........................... ...@............................................text.............................. ..`.rdata.............................@..@.data...H....@....?..&..............@....rsrc...p.............B.............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\gtrlRL8HQLBmCrpj7eGii9RV.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):4396408
                                                                                                                                                                                                                              Entropy (8bit):7.971773908633874
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:98304:KkZ2HRjDxUqNRSWw/fdG0ya8lhbNKCN+OMuHRmn++CozeYuDm:LZ2x3CqNcHdGTLNp+F+8elDm
                                                                                                                                                                                                                              MD5:281F44C8C6F0CFBC293E1FDB8B3EE782
                                                                                                                                                                                                                              SHA1:CB1ABAA337D77C1B8AE1502AE0C8B47027EE7FA7
                                                                                                                                                                                                                              SHA-256:72A115F25006EEF0B5762B7EF5E8644D13EB1A42A8D0FBAEEFAB1E07F7B34C64
                                                                                                                                                                                                                              SHA-512:CBA42B82A2D84872ABB45975852DB340E8DEAF3F9D965191B0E73B8186D1D2A42C7DD4F74EA1C740E9D0F363285D2E637AB71E51D8AD0EDF6FE7A993B53C8FC4
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L....}.e.....................L.......g............@.................................K.C.....................................t(..d.......p.............C.x........... ...8........................... ...@............................................text.............................. ..`.rdata.............................@..@.data...H....@....?..&..............@....rsrc...p.............B.............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\i3cGHUfhs02OIuQ54eKiruit.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):5388160
                                                                                                                                                                                                                              Entropy (8bit):6.884126803368091
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:98304:f0NFR6666666666666666666666666666666x666666666666666fwwwwwwwwwwg:sPMki6zio75L3pf3dedO4keCIwkoYbgA
                                                                                                                                                                                                                              MD5:47EB5DBC3AD1B569D0776F4CBF111342
                                                                                                                                                                                                                              SHA1:7C4A9800EAD26F628DE6C2E978242277BE707960
                                                                                                                                                                                                                              SHA-256:7A23897DCF9E267246C03EFB73C166D9D9B90B42B1913F87F3773B807581C3F5
                                                                                                                                                                                                                              SHA-512:AC33DDB04428CF35E519C4566DC4A63746600B1295F36942F26BD2E28C2E619AB031E5985BB7059BAB2B92F97728EFC82C30E81F1547CCD8ED4A68132966B78A
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...zL.f.........."......Z....M.....|*............@..........................`R......(S...@.....................................P........{L...........R..+... R..7..`...............................8q...............................................text....X.......Z.................. ..`.rdata.......p.......^..............@..@.data....4...P.......8..............@....tls.................V..............@....rsrc....{L......|L..X..............@..@.reloc...7... R..8....Q.............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\iUqjJmkpzyvK9tYYVEHTZp1W.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):5128704
                                                                                                                                                                                                                              Entropy (8bit):7.955603913831852
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:98304:6eZ9klwlIGDH8gNN0/Y1pQtU4bizh9OjA+upZPdA5Jtfzq/sH0aN2CvV:6eZ9owNeZtU4FBuL1A5Lu/sH0g
                                                                                                                                                                                                                              MD5:A25CDF843E60F609B970AC9414170A7A
                                                                                                                                                                                                                              SHA1:9D0FEE8C64C58D674D383654A4391B8E41D994DC
                                                                                                                                                                                                                              SHA-256:109A993670756619DB430191F217236914602B1AAC6FE093E1B8B1887CC3D9F9
                                                                                                                                                                                                                              SHA-512:E4DC2979919C8ECFB2A09FD78446DB57483E74FF2E3DDCB498D0718590EF0E9021424D6656822921D41B648A36253E9275045B2E4931F94F00C474B73444C6FD
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......f.........."....'.....D........r........@.............................`.......TN...`...................................................f......P..........,............0..D............................r.(....,..@.............^..............................text............................... ..`.rdata..Fp..........................@..@.data...............................@....pdata.......P......................@..@_RDATA.......P......................@..@...N......`......................`..`...N... ..p5.....................`..h.vmp#.V7t....U..................... ..`.vmp#.VP.....^.....................@....vmp#.V<.M.. ^...M.................`..h.reloc..D....0........M.............@..@.rsrc........P.......&M.............@..@................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\iZp2NZRM4fCHBLrmfY5yxs4H.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):462337
                                                                                                                                                                                                                              Entropy (8bit):7.165289332124068
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:6144:52bjG4z4HGToSUG/Xfl+jE2TgEVGuIrsvi6WTQo4PWcvhN/EdLTRLf:5kjGgToSUGP0hxGuPv+MaLlLf
                                                                                                                                                                                                                              MD5:3A4982B7D2352FB3089C01B9F33C25EB
                                                                                                                                                                                                                              SHA1:A87055A316E5E1227C237E0A44A941F98F583419
                                                                                                                                                                                                                              SHA-256:7A0BC7FD96BE7CDA19119D1FEEFA81196225786D98FDDD5E1AB5103C21F6CBC5
                                                                                                                                                                                                                              SHA-512:048675D6AA6F99B6EA6E5577D024A7B314D522C81BA867F2E2013D1839DB0D6C0947A1C67E2E5B905B577EDEB153C16D9ECFF6D386E96D59C4836BE3BE967509
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L......c.....................P.......g............@................................N........................................(..d.................................. ...8........................... ...@............................................text.............................. ..`.rdata.............................@..@.data.......@.......&..............@....rsrc..............................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\iiOuEJn1yBaeJOKc16avXLXi.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):5128704
                                                                                                                                                                                                                              Entropy (8bit):7.955603913831852
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:98304:6eZ9klwlIGDH8gNN0/Y1pQtU4bizh9OjA+upZPdA5Jtfzq/sH0aN2CvV:6eZ9owNeZtU4FBuL1A5Lu/sH0g
                                                                                                                                                                                                                              MD5:A25CDF843E60F609B970AC9414170A7A
                                                                                                                                                                                                                              SHA1:9D0FEE8C64C58D674D383654A4391B8E41D994DC
                                                                                                                                                                                                                              SHA-256:109A993670756619DB430191F217236914602B1AAC6FE093E1B8B1887CC3D9F9
                                                                                                                                                                                                                              SHA-512:E4DC2979919C8ECFB2A09FD78446DB57483E74FF2E3DDCB498D0718590EF0E9021424D6656822921D41B648A36253E9275045B2E4931F94F00C474B73444C6FD
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......f.........."....'.....D........r........@.............................`.......TN...`...................................................f......P..........,............0..D............................r.(....,..@.............^..............................text............................... ..`.rdata..Fp..........................@..@.data...............................@....pdata.......P......................@..@_RDATA.......P......................@..@...N......`......................`..`...N... ..p5.....................`..h.vmp#.V7t....U..................... ..`.vmp#.VP.....^.....................@....vmp#.V<.M.. ^...M.................`..h.reloc..D....0........M.............@..@.rsrc........P.......&M.............@..@................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\jPR83WX1aF07mPj541WJbft7.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):462337
                                                                                                                                                                                                                              Entropy (8bit):7.165289332124068
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:6144:52bjG4z4HGToSUG/Xfl+jE2TgEVGuIrsvi6WTQo4PWcvhN/EdLTRLf:5kjGgToSUGP0hxGuPv+MaLlLf
                                                                                                                                                                                                                              MD5:3A4982B7D2352FB3089C01B9F33C25EB
                                                                                                                                                                                                                              SHA1:A87055A316E5E1227C237E0A44A941F98F583419
                                                                                                                                                                                                                              SHA-256:7A0BC7FD96BE7CDA19119D1FEEFA81196225786D98FDDD5E1AB5103C21F6CBC5
                                                                                                                                                                                                                              SHA-512:048675D6AA6F99B6EA6E5577D024A7B314D522C81BA867F2E2013D1839DB0D6C0947A1C67E2E5B905B577EDEB153C16D9ECFF6D386E96D59C4836BE3BE967509
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L......c.....................P.......g............@................................N........................................(..d.................................. ...8........................... ...@............................................text.............................. ..`.rdata.............................@..@.data.......@.......&..............@....rsrc..............................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\kTljKlVr9ONLnjGfMDuDLqq7.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):4396408
                                                                                                                                                                                                                              Entropy (8bit):7.971773908633874
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:98304:KkZ2HRjDxUqNRSWw/fdG0ya8lhbNKCN+OMuHRmn++CozeYuDm:LZ2x3CqNcHdGTLNp+F+8elDm
                                                                                                                                                                                                                              MD5:281F44C8C6F0CFBC293E1FDB8B3EE782
                                                                                                                                                                                                                              SHA1:CB1ABAA337D77C1B8AE1502AE0C8B47027EE7FA7
                                                                                                                                                                                                                              SHA-256:72A115F25006EEF0B5762B7EF5E8644D13EB1A42A8D0FBAEEFAB1E07F7B34C64
                                                                                                                                                                                                                              SHA-512:CBA42B82A2D84872ABB45975852DB340E8DEAF3F9D965191B0E73B8186D1D2A42C7DD4F74EA1C740E9D0F363285D2E637AB71E51D8AD0EDF6FE7A993B53C8FC4
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L....}.e.....................L.......g............@.................................K.C.....................................t(..d.......p.............C.x........... ...8........................... ...@............................................text.............................. ..`.rdata.............................@..@.data...H....@....?..&..............@....rsrc...p.............B.............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\kzh8LUeSpUUvzS6kGzWDItYc.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):6802728
                                                                                                                                                                                                                              Entropy (8bit):7.996235974818118
                                                                                                                                                                                                                              Encrypted:true
                                                                                                                                                                                                                              SSDEEP:196608:91OXbE7giOz8u70OteFI7tfL6TCdPeMLN3IA:3OIBOUIECdVLN4A
                                                                                                                                                                                                                              MD5:5D5DA0738299D8893B79A6C926765E5F
                                                                                                                                                                                                                              SHA1:B05C2CFD30CA1C163CB829B7E7E5EA2D6C57D1D1
                                                                                                                                                                                                                              SHA-256:53C80BEE05D28FE65AB0AE6459753FE7B804C0B68B85FAAF828576687EF28CA3
                                                                                                                                                                                                                              SHA-512:D9FFFE943131E71762F5E2E1AD3D23053069F0F028054BE9EC2C8491A6812ADADACBF099AB8FA79CA9916CEDA14CCAEDFE4A0E1E5235871A97145EF77D7B0B26
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........W..s...s...s...}...s...y..s...,...s...r.!.s.......s...x..s.......s.......s.^.u...s.Rich..s.........PE..L....S.L.............................K............@.............................................................................d....p..`............................................................................................................text.............................. ..`.rdata...D.......F..................@..@.data...HZ.......2..................@....sxdata......`......................@....rsrc...`....p......................@..@................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\lxJL7FOaOc6Tkk0XNttI4ctE.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):7446
                                                                                                                                                                                                                              Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                              MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                              SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                              SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                              SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\m17a3Wi6OxEiO5FsOjI20tNz.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):5388160
                                                                                                                                                                                                                              Entropy (8bit):6.884128419820281
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:98304:P0NFR6666666666666666666666666666666x666666666666666fwwwwwwwwwwh:cPMki6zio75L3pf3dedO4keCIwkoYbgB
                                                                                                                                                                                                                              MD5:5E71284947BF8E2B1B90B843D650CA13
                                                                                                                                                                                                                              SHA1:9C52DC35DC332632569056816836B747F73BB238
                                                                                                                                                                                                                              SHA-256:436FCD6CC8AC3A9761939819D7CDB47EEF995145BFDD7BB5A3FF302414878875
                                                                                                                                                                                                                              SHA-512:DD8989FB9E67D704F4F562C6D12398880690E1FDC27022F705470EC273C85D3965E0230203576C564F50C0BEC5EBC7F870CE2A665EFBA4A8E0ACC78215B1D2F0
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...zL.f.........."......Z....M.....|*............@..........................`R.......R...@.....................................P........{L...........R..+... R..7..`...............................8q...............................................text....X.......Z.................. ..`.rdata.......p.......^..............@..@.data....4...P.......8..............@....tls.................V..............@....rsrc....{L......|L..X..............@..@.reloc...7... R..8....Q.............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\mLelSKT2LDJXIBhhiZbtJLRy.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):7446
                                                                                                                                                                                                                              Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                              MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                              SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                              SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                              SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\mrFftTFMgiVG2LP46B9gKHBo.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):5128704
                                                                                                                                                                                                                              Entropy (8bit):7.955603913831852
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:98304:6eZ9klwlIGDH8gNN0/Y1pQtU4bizh9OjA+upZPdA5Jtfzq/sH0aN2CvV:6eZ9owNeZtU4FBuL1A5Lu/sH0g
                                                                                                                                                                                                                              MD5:A25CDF843E60F609B970AC9414170A7A
                                                                                                                                                                                                                              SHA1:9D0FEE8C64C58D674D383654A4391B8E41D994DC
                                                                                                                                                                                                                              SHA-256:109A993670756619DB430191F217236914602B1AAC6FE093E1B8B1887CC3D9F9
                                                                                                                                                                                                                              SHA-512:E4DC2979919C8ECFB2A09FD78446DB57483E74FF2E3DDCB498D0718590EF0E9021424D6656822921D41B648A36253E9275045B2E4931F94F00C474B73444C6FD
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......f.........."....'.....D........r........@.............................`.......TN...`...................................................f......P..........,............0..D............................r.(....,..@.............^..............................text............................... ..`.rdata..Fp..........................@..@.data...............................@....pdata.......P......................@..@_RDATA.......P......................@..@...N......`......................`..`...N... ..p5.....................`..h.vmp#.V7t....U..................... ..`.vmp#.VP.....^.....................@....vmp#.V<.M.. ^...M.................`..h.reloc..D....0........M.............@..@.rsrc........P.......&M.............@..@................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\nRdMq8uD8Vn50SShh8GGGF1J.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):462337
                                                                                                                                                                                                                              Entropy (8bit):7.165289332124068
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:6144:52bjG4z4HGToSUG/Xfl+jE2TgEVGuIrsvi6WTQo4PWcvhN/EdLTRLf:5kjGgToSUGP0hxGuPv+MaLlLf
                                                                                                                                                                                                                              MD5:3A4982B7D2352FB3089C01B9F33C25EB
                                                                                                                                                                                                                              SHA1:A87055A316E5E1227C237E0A44A941F98F583419
                                                                                                                                                                                                                              SHA-256:7A0BC7FD96BE7CDA19119D1FEEFA81196225786D98FDDD5E1AB5103C21F6CBC5
                                                                                                                                                                                                                              SHA-512:048675D6AA6F99B6EA6E5577D024A7B314D522C81BA867F2E2013D1839DB0D6C0947A1C67E2E5B905B577EDEB153C16D9ECFF6D386E96D59C4836BE3BE967509
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L......c.....................P.......g............@................................N........................................(..d.................................. ...8........................... ...@............................................text.............................. ..`.rdata.............................@..@.data.......@.......&..............@....rsrc..............................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\oE07FMGKijbqRxoSOEfcVNr4.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):4396408
                                                                                                                                                                                                                              Entropy (8bit):7.971773908633874
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:98304:KkZ2HRjDxUqNRSWw/fdG0ya8lhbNKCN+OMuHRmn++CozeYuDm:LZ2x3CqNcHdGTLNp+F+8elDm
                                                                                                                                                                                                                              MD5:281F44C8C6F0CFBC293E1FDB8B3EE782
                                                                                                                                                                                                                              SHA1:CB1ABAA337D77C1B8AE1502AE0C8B47027EE7FA7
                                                                                                                                                                                                                              SHA-256:72A115F25006EEF0B5762B7EF5E8644D13EB1A42A8D0FBAEEFAB1E07F7B34C64
                                                                                                                                                                                                                              SHA-512:CBA42B82A2D84872ABB45975852DB340E8DEAF3F9D965191B0E73B8186D1D2A42C7DD4F74EA1C740E9D0F363285D2E637AB71E51D8AD0EDF6FE7A993B53C8FC4
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L....}.e.....................L.......g............@.................................K.C.....................................t(..d.......p.............C.x........... ...8........................... ...@............................................text.............................. ..`.rdata.............................@..@.data...H....@....?..&..............@....rsrc...p.............B.............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\oQDwIFVWS8CDFis7e7hIkdVf.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):7446
                                                                                                                                                                                                                              Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                              MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                              SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                              SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                              SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\q1Wrkjlqz870PPzT0bIAuAXE.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):462337
                                                                                                                                                                                                                              Entropy (8bit):7.165289332124068
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:6144:52bjG4z4HGToSUG/Xfl+jE2TgEVGuIrsvi6WTQo4PWcvhN/EdLTRLf:5kjGgToSUGP0hxGuPv+MaLlLf
                                                                                                                                                                                                                              MD5:3A4982B7D2352FB3089C01B9F33C25EB
                                                                                                                                                                                                                              SHA1:A87055A316E5E1227C237E0A44A941F98F583419
                                                                                                                                                                                                                              SHA-256:7A0BC7FD96BE7CDA19119D1FEEFA81196225786D98FDDD5E1AB5103C21F6CBC5
                                                                                                                                                                                                                              SHA-512:048675D6AA6F99B6EA6E5577D024A7B314D522C81BA867F2E2013D1839DB0D6C0947A1C67E2E5B905B577EDEB153C16D9ECFF6D386E96D59C4836BE3BE967509
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L......c.....................P.......g............@................................N........................................(..d.................................. ...8........................... ...@............................................text.............................. ..`.rdata.............................@..@.data.......@.......&..............@....rsrc..............................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\qWJzemjmehRTjWu4hQlmexeK.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):5388160
                                                                                                                                                                                                                              Entropy (8bit):6.884125904829497
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:98304:y0NFR6666666666666666666666666666666x666666666666666fwwwwwwwwww6:HPMki6zio75L3pf3dedO4keCIwkoYbga
                                                                                                                                                                                                                              MD5:611A07F1F59CB67D20A7609D6444442D
                                                                                                                                                                                                                              SHA1:31B42E9431BA12416B2336E83BD0730D35790060
                                                                                                                                                                                                                              SHA-256:854BD34503D6676B526FF736B40FB3A65A2C089C66D7728BCA417E699440A049
                                                                                                                                                                                                                              SHA-512:D948E425E7BDCDC5C2AB7C0D7D60F133A964BA90F58DEDD5060A097F25D44B87DC3E5CD0DF9DAB378D46BC11AC206830F0137EA15A8CC17F99A4AE22A2B13055
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...zL.f.........."......Z....M.....|*............@..........................`R.....?.R...@.....................................P........{L...........R..+... R..7..`...............................8q...............................................text....X.......Z.................. ..`.rdata.......p.......^..............@..@.data....4...P.......8..............@....tls.................V..............@....rsrc....{L......|L..X..............@..@.reloc...7... R..8....Q.............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\rgIKhNst6KD41QCemJfU8B6e.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):4396408
                                                                                                                                                                                                                              Entropy (8bit):7.971773908633874
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:98304:KkZ2HRjDxUqNRSWw/fdG0ya8lhbNKCN+OMuHRmn++CozeYuDm:LZ2x3CqNcHdGTLNp+F+8elDm
                                                                                                                                                                                                                              MD5:281F44C8C6F0CFBC293E1FDB8B3EE782
                                                                                                                                                                                                                              SHA1:CB1ABAA337D77C1B8AE1502AE0C8B47027EE7FA7
                                                                                                                                                                                                                              SHA-256:72A115F25006EEF0B5762B7EF5E8644D13EB1A42A8D0FBAEEFAB1E07F7B34C64
                                                                                                                                                                                                                              SHA-512:CBA42B82A2D84872ABB45975852DB340E8DEAF3F9D965191B0E73B8186D1D2A42C7DD4F74EA1C740E9D0F363285D2E637AB71E51D8AD0EDF6FE7A993B53C8FC4
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L....}.e.....................L.......g............@.................................K.C.....................................t(..d.......p.............C.x........... ...8........................... ...@............................................text.............................. ..`.rdata.............................@..@.data...H....@....?..&..............@....rsrc...p.............B.............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\rqCKBzP3c5cie0ECqyDcHMBo.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):462337
                                                                                                                                                                                                                              Entropy (8bit):7.165289332124068
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:6144:52bjG4z4HGToSUG/Xfl+jE2TgEVGuIrsvi6WTQo4PWcvhN/EdLTRLf:5kjGgToSUGP0hxGuPv+MaLlLf
                                                                                                                                                                                                                              MD5:3A4982B7D2352FB3089C01B9F33C25EB
                                                                                                                                                                                                                              SHA1:A87055A316E5E1227C237E0A44A941F98F583419
                                                                                                                                                                                                                              SHA-256:7A0BC7FD96BE7CDA19119D1FEEFA81196225786D98FDDD5E1AB5103C21F6CBC5
                                                                                                                                                                                                                              SHA-512:048675D6AA6F99B6EA6E5577D024A7B314D522C81BA867F2E2013D1839DB0D6C0947A1C67E2E5B905B577EDEB153C16D9ECFF6D386E96D59C4836BE3BE967509
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L......c.....................P.......g............@................................N........................................(..d.................................. ...8........................... ...@............................................text.............................. ..`.rdata.............................@..@.data.......@.......&..............@....rsrc..............................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\sZo8dt9VSX8cm31TuXOiptH3.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):7446
                                                                                                                                                                                                                              Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                              MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                              SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                              SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                              SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\si8fAgQZyD6Cx4plDNMQadak.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):5128704
                                                                                                                                                                                                                              Entropy (8bit):7.955603913831852
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:98304:6eZ9klwlIGDH8gNN0/Y1pQtU4bizh9OjA+upZPdA5Jtfzq/sH0aN2CvV:6eZ9owNeZtU4FBuL1A5Lu/sH0g
                                                                                                                                                                                                                              MD5:A25CDF843E60F609B970AC9414170A7A
                                                                                                                                                                                                                              SHA1:9D0FEE8C64C58D674D383654A4391B8E41D994DC
                                                                                                                                                                                                                              SHA-256:109A993670756619DB430191F217236914602B1AAC6FE093E1B8B1887CC3D9F9
                                                                                                                                                                                                                              SHA-512:E4DC2979919C8ECFB2A09FD78446DB57483E74FF2E3DDCB498D0718590EF0E9021424D6656822921D41B648A36253E9275045B2E4931F94F00C474B73444C6FD
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......f.........."....'.....D........r........@.............................`.......TN...`...................................................f......P..........,............0..D............................r.(....,..@.............^..............................text............................... ..`.rdata..Fp..........................@..@.data...............................@....pdata.......P......................@..@_RDATA.......P......................@..@...N......`......................`..`...N... ..p5.....................`..h.vmp#.V7t....U..................... ..`.vmp#.VP.....^.....................@....vmp#.V<.M.. ^...M.................`..h.reloc..D....0........M.............@..@.rsrc........P.......&M.............@..@................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\vRRDKxJPSQaL9EAwTnxxq5Xp.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):462337
                                                                                                                                                                                                                              Entropy (8bit):7.165289332124068
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:6144:52bjG4z4HGToSUG/Xfl+jE2TgEVGuIrsvi6WTQo4PWcvhN/EdLTRLf:5kjGgToSUGP0hxGuPv+MaLlLf
                                                                                                                                                                                                                              MD5:3A4982B7D2352FB3089C01B9F33C25EB
                                                                                                                                                                                                                              SHA1:A87055A316E5E1227C237E0A44A941F98F583419
                                                                                                                                                                                                                              SHA-256:7A0BC7FD96BE7CDA19119D1FEEFA81196225786D98FDDD5E1AB5103C21F6CBC5
                                                                                                                                                                                                                              SHA-512:048675D6AA6F99B6EA6E5577D024A7B314D522C81BA867F2E2013D1839DB0D6C0947A1C67E2E5B905B577EDEB153C16D9ECFF6D386E96D59C4836BE3BE967509
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L......c.....................P.......g............@................................N........................................(..d.................................. ...8........................... ...@............................................text.............................. ..`.rdata.............................@..@.data.......@.......&..............@....rsrc..............................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\ws45TNfHbiigh1rlfu2kvwqp.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):4396408
                                                                                                                                                                                                                              Entropy (8bit):7.971773908633874
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:98304:KkZ2HRjDxUqNRSWw/fdG0ya8lhbNKCN+OMuHRmn++CozeYuDm:LZ2x3CqNcHdGTLNp+F+8elDm
                                                                                                                                                                                                                              MD5:281F44C8C6F0CFBC293E1FDB8B3EE782
                                                                                                                                                                                                                              SHA1:CB1ABAA337D77C1B8AE1502AE0C8B47027EE7FA7
                                                                                                                                                                                                                              SHA-256:72A115F25006EEF0B5762B7EF5E8644D13EB1A42A8D0FBAEEFAB1E07F7B34C64
                                                                                                                                                                                                                              SHA-512:CBA42B82A2D84872ABB45975852DB340E8DEAF3F9D965191B0E73B8186D1D2A42C7DD4F74EA1C740E9D0F363285D2E637AB71E51D8AD0EDF6FE7A993B53C8FC4
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L....}.e.....................L.......g............@.................................K.C.....................................t(..d.......p.............C.x........... ...8........................... ...@............................................text.............................. ..`.rdata.............................@..@.data...H....@....?..&..............@....rsrc...p.............B.............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\x6grxPSTyIeA8EPDMgptrwYO.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):5388160
                                                                                                                                                                                                                              Entropy (8bit):6.884126316660053
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:98304:90NFR6666666666666666666666666666666x666666666666666fwwwwwwwwwwk:WPMki6zio75L3pf3dedO4keCIwkoYbgE
                                                                                                                                                                                                                              MD5:EF199316DF30CB4E02F45F156EC63A9A
                                                                                                                                                                                                                              SHA1:1D01117469FE286CE64CD27DFCBF939DFC7E8F22
                                                                                                                                                                                                                              SHA-256:858F0951DC8F6A15014CE367AD4CD4274D93881AA5D0B101ED524389CD25BE3D
                                                                                                                                                                                                                              SHA-512:F7BACAE2D24E570911358EDE0B56CC0A94713A1CEBC47BBCB9D83AAD3B357F7CFE5494C0CF5BB2972542F469B9538BAE0F9100C3BBA918DE71040E9FED8C5A9E
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...zL.f.........."......Z....M.....|*............@..........................`R......\R...@.....................................P........{L...........R..+... R..7..`...............................8q...............................................text....X.......Z.................. ..`.rdata.......p.......^..............@..@.data....4...P.......8..............@....tls.................V..............@....rsrc....{L......|L..X..............@..@.reloc...7... R..8....Q.............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\xMynrpRscnCMe5EhOaqNgT9P.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):4396408
                                                                                                                                                                                                                              Entropy (8bit):7.971773908633874
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:98304:KkZ2HRjDxUqNRSWw/fdG0ya8lhbNKCN+OMuHRmn++CozeYuDm:LZ2x3CqNcHdGTLNp+F+8elDm
                                                                                                                                                                                                                              MD5:281F44C8C6F0CFBC293E1FDB8B3EE782
                                                                                                                                                                                                                              SHA1:CB1ABAA337D77C1B8AE1502AE0C8B47027EE7FA7
                                                                                                                                                                                                                              SHA-256:72A115F25006EEF0B5762B7EF5E8644D13EB1A42A8D0FBAEEFAB1E07F7B34C64
                                                                                                                                                                                                                              SHA-512:CBA42B82A2D84872ABB45975852DB340E8DEAF3F9D965191B0E73B8186D1D2A42C7DD4F74EA1C740E9D0F363285D2E637AB71E51D8AD0EDF6FE7A993B53C8FC4
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L....}.e.....................L.......g............@.................................K.C.....................................t(..d.......p.............C.x........... ...8........................... ...@............................................text.............................. ..`.rdata.............................@..@.data...H....@....?..&..............@....rsrc...p.............B.............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\xWO4HdGMj74aDnNwcibeJHOS.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):5128704
                                                                                                                                                                                                                              Entropy (8bit):7.955603913831852
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:98304:6eZ9klwlIGDH8gNN0/Y1pQtU4bizh9OjA+upZPdA5Jtfzq/sH0aN2CvV:6eZ9owNeZtU4FBuL1A5Lu/sH0g
                                                                                                                                                                                                                              MD5:A25CDF843E60F609B970AC9414170A7A
                                                                                                                                                                                                                              SHA1:9D0FEE8C64C58D674D383654A4391B8E41D994DC
                                                                                                                                                                                                                              SHA-256:109A993670756619DB430191F217236914602B1AAC6FE093E1B8B1887CC3D9F9
                                                                                                                                                                                                                              SHA-512:E4DC2979919C8ECFB2A09FD78446DB57483E74FF2E3DDCB498D0718590EF0E9021424D6656822921D41B648A36253E9275045B2E4931F94F00C474B73444C6FD
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......f.........."....'.....D........r........@.............................`.......TN...`...................................................f......P..........,............0..D............................r.(....,..@.............^..............................text............................... ..`.rdata..Fp..........................@..@.data...............................@....pdata.......P......................@..@_RDATA.......P......................@..@...N......`......................`..`...N... ..p5.....................`..h.vmp#.V7t....U..................... ..`.vmp#.VP.....^.....................@....vmp#.V<.M.. ^...M.................`..h.reloc..D....0........M.............@..@.rsrc........P.......&M.............@..@................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\ydXU53ROIY0b9rjoj3B1m3C2.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):462337
                                                                                                                                                                                                                              Entropy (8bit):7.165289332124068
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:6144:52bjG4z4HGToSUG/Xfl+jE2TgEVGuIrsvi6WTQo4PWcvhN/EdLTRLf:5kjGgToSUGP0hxGuPv+MaLlLf
                                                                                                                                                                                                                              MD5:3A4982B7D2352FB3089C01B9F33C25EB
                                                                                                                                                                                                                              SHA1:A87055A316E5E1227C237E0A44A941F98F583419
                                                                                                                                                                                                                              SHA-256:7A0BC7FD96BE7CDA19119D1FEEFA81196225786D98FDDD5E1AB5103C21F6CBC5
                                                                                                                                                                                                                              SHA-512:048675D6AA6F99B6EA6E5577D024A7B314D522C81BA867F2E2013D1839DB0D6C0947A1C67E2E5B905B577EDEB153C16D9ECFF6D386E96D59C4836BE3BE967509
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L......c.....................P.......g............@................................N........................................(..d.................................. ...8........................... ...@............................................text.............................. ..`.rdata.............................@..@.data.......@.......&..............@....rsrc..............................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\zU6BSyD8WoQsImtLem5lAF2x.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):7446
                                                                                                                                                                                                                              Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                              MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                              SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                              SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                              SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0J7M1nQjDGRXKMq0AgiKFOvO.bat

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):69
                                                                                                                                                                                                                              Entropy (8bit):4.882014449776854
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Ljn9m1t+kiE2J5uKce2JUSpnJF:fE1wkn23uK52e2F
                                                                                                                                                                                                                              MD5:322CC167912128E7F0186FECF8FD74A0
                                                                                                                                                                                                                              SHA1:DD0AA631C5A41CB05C56986D75CCF480A223E364
                                                                                                                                                                                                                              SHA-256:65067F7F6CE68F30A98E668966740AB19E523F441C1348903EF6773D353096F0
                                                                                                                                                                                                                              SHA-512:3D0805A4C6FFD40FA8C7A8AC9C7C8EF12D2F5FCA6A55E61818DC2E50F8F2DAEE40E1C043B11292C2700CAFC24C3449E6F4774ABEBD4ECDAA4284875DD3FCF9D0
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:start "" "C:\Users\user\AppData\Local\Kocn1QGnt5lNON74XhjpO8L3.exe"

                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0L0N3gvArkRU6k774A53L7pm.bat

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):69
                                                                                                                                                                                                                              Entropy (8bit):4.916657341451682
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Ljn9m1t+kiE2J5M/iHtL4mn:fE1wkn23MKHtL
                                                                                                                                                                                                                              MD5:9E08D855227C8B3B0F6A9E57C3834DBC
                                                                                                                                                                                                                              SHA1:99B509AFDC13F045B9BB0C760C8D0FC105C19F49
                                                                                                                                                                                                                              SHA-256:3AB7E53C6F5C660822C8F23B164500A3817AF5B9237909BC80EAE0981C950659
                                                                                                                                                                                                                              SHA-512:D62DFD30B46CFB737BC5E9B566C9CD09C7BC8B3F2698E5E5A4013AAEFABA146A21E158A5EAF56AE5F18F34355989129A56F4F71DFBE203DBBC7DD68FE235850D
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:start "" "C:\Users\user\AppData\Local\iZp2NZRM4fCHBLrmfY5yxs4H.exe"

                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0ikx69mladtPGsRKabYNZ6t0.bat

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):69
                                                                                                                                                                                                                              Entropy (8bit):4.921940355605309
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Ljn9m1t+kiE2J5kn4k/RAicKLvn:fE1wkn23kpZAicW
                                                                                                                                                                                                                              MD5:FCF184D4D20F05CE2BD56DB50332D66B
                                                                                                                                                                                                                              SHA1:613E4AD917B592E5EC1DF18A37BA6D5AFAB04050
                                                                                                                                                                                                                              SHA-256:91A894C09F1ED14BE78936E586F5BEEEC2404EF48B717FC0CAC19E01E9D2036A
                                                                                                                                                                                                                              SHA-512:1F0985E8F392202518EB4F2A4F0470F9C2D4D50D60E97D3C4C2E58894AA4961FF6A2E7DA16E8DBE7BA378D9B0277DA2CBE8CACF79823C6E0D16B9829DD9C68A3
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:start "" "C:\Users\user\AppData\Local\A6zIGniAZ7NEfPoGNA99xdJC.exe"

                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0syZq7EY0CFhtffF1dHMEDe0.bat

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):69
                                                                                                                                                                                                                              Entropy (8bit):4.857239001305163
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Ljn9m1t+kiE2J5fQl/0s1rdJln:fE1wkn2320s5Tl
                                                                                                                                                                                                                              MD5:406952004466AA39B5DFEBE0401E8269
                                                                                                                                                                                                                              SHA1:EC775A66399AE1BA89CF0075558875A08AAEB0AA
                                                                                                                                                                                                                              SHA-256:069B550957301032BB5814B3CE922B5DBA38F48A8ABEA66515194F4D32BCF76B
                                                                                                                                                                                                                              SHA-512:0BD7D04FE9D5E0B745A4C81A7BD9B3D10943F7867AFA38467892376CDE14D2686EB1ED18A6770DF7150A4FA4221659819F2824D0EC7D18526C5B0DD8AA7904D0
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:start "" "C:\Users\user\AppData\Local\zU6BSyD8WoQsImtLem5lAF2x.exe"

                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2YGFaax4VREMAQhHWBVtU9ND.bat

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):69
                                                                                                                                                                                                                              Entropy (8bit):4.929045065687527
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Ljn9m1t+kiE2J5xVJcoXkv7K4F:fE1wkn23TKNbF
                                                                                                                                                                                                                              MD5:9E1BA20C5E8DE0A3FCDED7B6B4AE8E73
                                                                                                                                                                                                                              SHA1:267A70188F5B83B8FE2BE0541F8DF8B7D773E1E9
                                                                                                                                                                                                                              SHA-256:F2AE6AAAB8862131DD63213D61DDC6C7302A85408C6FB6058155F8CFE60B75C6
                                                                                                                                                                                                                              SHA-512:65DED8BAFBA94202A1AB48DE2AC74D658426C3A4A496A5F2EA60398C2E7F7A503F07B2514937B09092C4D2ECBFBCCB4AB0705E2C954030F0BFA683E52BE1D186
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:start "" "C:\Users\user\AppData\Local\Tp59u6n2uhrgw2uPRJT1mo4o.exe"

                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2ym1d1xnPNMzk5jErdF6V6UG.bat

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):69
                                                                                                                                                                                                                              Entropy (8bit):5.003613863190812
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Ljn9m1t+kiE2J5iS003cCl:fE1wkn23ir03j
                                                                                                                                                                                                                              MD5:38BC31C032CA59716C6541E920F3AD69
                                                                                                                                                                                                                              SHA1:A30D02E05398441FFEE0AA78EC8DE32B5138C93D
                                                                                                                                                                                                                              SHA-256:0EB830D545629E91BEE7C9ADDB29FED893E2A8DCE5BCF91A1C8C1B45E026319F
                                                                                                                                                                                                                              SHA-512:875F0AAD0DAB90A5C772624E89D91C40B1C4B92F07F6072E85EC51F099BE79D20BB6BE4D3AEE92FC4013B54ECD0976F4BFDD13C7B955E113FD023E72F28B2891
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:start "" "C:\Users\user\AppData\Local\GNcg3yiDrmzw07ZdoxfNbs1v.exe"

                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3PIKZrWnwy05CxuZRskqCwfF.bat

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):69
                                                                                                                                                                                                                              Entropy (8bit):4.894776544287524
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Ljn9m1t+kiE2J5qHC4lW0blbs:fE1wkn23qNlWSJs
                                                                                                                                                                                                                              MD5:D7A971F4840FD8B802628291A17726DF
                                                                                                                                                                                                                              SHA1:61CB613BC4C0380057E51E0948167C177E8F93F8
                                                                                                                                                                                                                              SHA-256:3ADA35427A3DF63404DE2563A4FBB47490A50998F9FA149CF35ABE6917B680C7
                                                                                                                                                                                                                              SHA-512:C1AAB1E42EB12F109667FBD644D8C2087F06FD1DFF6E4ED14255157C1C6C595F1707BDD4C1DD5E7697FCF0BD9E974DB15530116E27A79B298A1E839971F7B0EE
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:start "" "C:\Users\user\AppData\Local\Obg7n5Z5efoxTsQrcye3Rd29.exe"

                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\42AtahIwsAQ9MCwYdGXiMWgl.bat

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):69
                                                                                                                                                                                                                              Entropy (8bit):5.00889687734444
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Ljn9m1t+kiE2J58iwBwIpgTdeLIkAl:fE1wkn238isi0LIkm
                                                                                                                                                                                                                              MD5:61CA720CDA3E4D60CF6397527D85682A
                                                                                                                                                                                                                              SHA1:681C1587675D831D96BC386F1AFDEE5B7969A158
                                                                                                                                                                                                                              SHA-256:A13706E13087D0FD7ACF6DB8E2F580D7DA0E766CF8BB309C20C2DDC10901986A
                                                                                                                                                                                                                              SHA-512:3F32CB1C69B0D79392897165AD8EFB75D364C60B39C9C68C1CAA35AB345E8CDC3439E6E1E8800A1141A7112038D8261860CB79A9C1C882DDB30BF8979B1BAA72
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:start "" "C:\Users\user\AppData\Local\YGTS10whU5xLzk2bVxVWnmYS.exe"

                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4LIdC6j8pRS1z7WNkoaxi5da.bat

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):69
                                                                                                                                                                                                                              Entropy (8bit):4.84774592837685
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Ljn9m1t+kiE2J5SmXx0vPOVQ8x6EuCl:fE1wkn23Sg8ZfER
                                                                                                                                                                                                                              MD5:11316C6D8E24CBB5F70FA894CD528430
                                                                                                                                                                                                                              SHA1:BE69B363213AA1B7EEFCB8C5A2070218C7692860
                                                                                                                                                                                                                              SHA-256:16F96A9180C8D53A75F8E099E58F002E6674E28969E42BD2F18F9EA4C6A98516
                                                                                                                                                                                                                              SHA-512:77A296AA825BF383BA15247CB16C4512AEBCD7843DD7EDDC88C093BAB1B5BA1B879F2B4A9BBFCCBB90381566A8043E33D20F7887FCB5BDCAE9AF688D99FAFA32
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:start "" "C:\Users\user\AppData\Local\7GonYrcCQJRZWxpQLYX649aX.exe"

                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4Y9Dve63bMlMJwgLFapHtux4.bat

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):69
                                                                                                                                                                                                                              Entropy (8bit):4.853403312805302
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Ljn9m1t+kiE2J5UZfqUHson:fE1wkn23Udso
                                                                                                                                                                                                                              MD5:8D5A9F9747F567B1D9EC38D3C6D525B0
                                                                                                                                                                                                                              SHA1:4D514403012786489BE7DE75476F5F64F9B5BE7A
                                                                                                                                                                                                                              SHA-256:F74EA9B9B4F0E6D758972B57B0A558AB97A5F5F621D8FB5E6A2AE2F99F2DDCE9
                                                                                                                                                                                                                              SHA-512:AD1B426F7ADFF5862172267C0121CF2A889E4A56274763BEF07BAABAB05F8D68DA4FAE6F231FE42612BE62BF29D0B02707F545D030C7561974C9ACF2F0C87A88
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:start "" "C:\Users\user\AppData\Local\1sULHHpeqbgWxmRBkrwHQ2Wq.exe"

                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4f4biQVfkFFQ1vVSgVTRMMCQ.bat

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):69
                                                                                                                                                                                                                              Entropy (8bit):4.858686326958928
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Ljn9m1t+kiE2J5XBftvDwdnYFn:fE1wkn23VtvslYF
                                                                                                                                                                                                                              MD5:369732AEC60D1A32DDF240050BDE8620
                                                                                                                                                                                                                              SHA1:C6269F618F1A65C8ABC27611F4C84AF70AB27A8E
                                                                                                                                                                                                                              SHA-256:AA2D1EDAC638E0F89FEC59B68DCA7882A74301BCEE4644A254A98032DFD58F79
                                                                                                                                                                                                                              SHA-512:582A155A8BBD08F4529AF6CB72AE45B72589604212B5E4BE516080A6E97C19FC43270A7140590BEEEC9ED504C07E0235B8679F98CE3E461BABEBAABADC57825C
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:start "" "C:\Users\user\AppData\Local\rgIKhNst6KD41QCemJfU8B6e.exe"

                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5DvsXqu7rhEgw2bNo52xP7fS.bat

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):69
                                                                                                                                                                                                                              Entropy (8bit):4.878178761276993
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Ljn9m1t+kiE2J5O3u9XfOUUSJHFn:fE1wkn23O3u1f7LJF
                                                                                                                                                                                                                              MD5:6A5728E0FC5F04095AE938046F92489B
                                                                                                                                                                                                                              SHA1:D8EE3F91E88E6E81B283435A3145660F04394BB7
                                                                                                                                                                                                                              SHA-256:1F924A4114DA4F01ED1DF524E5F44DC2F846AB2DC62E9C35539B56933BAEA983
                                                                                                                                                                                                                              SHA-512:88CFED81D81E428BCC1079C5638AA9F2FB91E3A749E5A7BC3E2581DD70297E52FFB202D45136751B99346B73C489E17B486C3E26FBCD3B2955F8F847E3A055A8
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:start "" "C:\Users\user\AppData\Local\kTljKlVr9ONLnjGfMDuDLqq7.exe"

                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5e9YTeMdvgg279TXXoNtMM7p.bat

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):69
                                                                                                                                                                                                                              Entropy (8bit):5.054480167601348
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Ljn9m1t+kiE2J5RAHSYTDY4mn:fE1wkn23oD+
                                                                                                                                                                                                                              MD5:A51A8106F02768240683DC9E3E9AD6F4
                                                                                                                                                                                                                              SHA1:75C51C02EBA60324C74CE2236E74E13D6EB56813
                                                                                                                                                                                                                              SHA-256:6C0E72087F52E223DCB2D5F412813E20053CC89FFDA999515D737D9916399863
                                                                                                                                                                                                                              SHA-512:9C429E7C5509C7E019FC263AEDE28E5C6096C130F1B5C881D485F0BA7D71ADBA35F10CB3CFB697604DCDA1EB2FCE1A3BBCFFA77A985BC27AEEB56BDCA6C5DF0B
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:start "" "C:\Users\user\AppData\Local\4eN6JMBulbZWTUqm8bHwZ2Cg.exe"

                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5me5kJjaX6nSu3LrmZClhT87.bat

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):69
                                                                                                                                                                                                                              Entropy (8bit):5.008896877344439
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Ljn9m1t+kiE2J5KKBaHXyCHF:fE1wkn23K4aHiCl
                                                                                                                                                                                                                              MD5:BC9406EEF44D0B8DBB55E049F89932B8
                                                                                                                                                                                                                              SHA1:5623CB52237A7A8A680D1A52ABD4E231E6FB076B
                                                                                                                                                                                                                              SHA-256:8EB27AB1459005F132A984B4B34C3E12684ABAB61AD960F3E2D36424DD0E1225
                                                                                                                                                                                                                              SHA-512:ACFA94649926D5413EAA4B5C2BB4D24AA81D2BE9D244B85EA0C5F11296D704438A0B09A4AD4F8779A230488CA88C51940BB5B9FEA4E1653F89F03FAA6A6C5EF6
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:start "" "C:\Users\user\AppData\Local\oE07FMGKijbqRxoSOEfcVNr4.exe"

                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7wRR3Sd9ebwAodEDhY9Igh21.bat

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):69
                                                                                                                                                                                                                              Entropy (8bit):5.054480167601348
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Ljn9m1t+kiE2J50sdlNngIHv10s35Jl:fE1wkn230sHVgIHtV35Jl
                                                                                                                                                                                                                              MD5:CEB322A7E2072066FBB2358F6A8B639C
                                                                                                                                                                                                                              SHA1:4EF7FC6F5C5565991717F7FA93138F243D14A40B
                                                                                                                                                                                                                              SHA-256:412B76A351BF8ABCFAE62DC3336BCEEB8D3053ADDA2B5C2DA844D5290F76ABF9
                                                                                                                                                                                                                              SHA-512:769F520B9CCCFDC353BD78C3B6ABFDF64C01070F40132A3B723D9B2E5D1B8443359DACE902CC36A0C2036B30F1F82989894C4B55E2A51AE14399509339C938D0
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:start "" "C:\Users\user\AppData\Local\QI8XvF6duFZ0OdsmbJPQIRnh.exe"

                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9Xgc4e7oTv5WiPHkhGWgsF6U.bat

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):69
                                                                                                                                                                                                                              Entropy (8bit):5.008896877344439
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Ljn9m1t+kiE2J5IvXlZcC3Adm:fE1wkn23IvXlZc+
                                                                                                                                                                                                                              MD5:FAF7D72EFE6A1B6BEEA4761402BE489A
                                                                                                                                                                                                                              SHA1:AB0942437D5DE5CBD26DD35DDB221007674BBC79
                                                                                                                                                                                                                              SHA-256:2BE0C89E113E913BF4635F787262008D1CE4A7AF5EE15E373B9A9722A29CD87E
                                                                                                                                                                                                                              SHA-512:B37BB220D687527CE6DFCDBB1AC8B1116513AB0186A85B6157099462FDAF85A102ABB32FF384DD48D4A9CF2CAA930835C7F8F04153332402582C567D6D8A6020
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:start "" "C:\Users\user\AppData\Local\mrFftTFMgiVG2LP46B9gKHBo.exe"

                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AN1sPJSyeZAaO0fgnCn2d82e.bat

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):69
                                                                                                                                                                                                                              Entropy (8bit):4.755132022209268
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Ljn9m1t+kiE2J5yUHnnyHpd4Aln:fE1wkn23yQyHzNl
                                                                                                                                                                                                                              MD5:E1E38F857F4C56DC4543026F2F87FF2E
                                                                                                                                                                                                                              SHA1:0B5FF957142AA49F2B4CAE2B32FDC05457BE1BA7
                                                                                                                                                                                                                              SHA-256:27AD889A3B7F8070D4C97612F7DA1C417880F4A8596601A2FABDDAC295EB66C0
                                                                                                                                                                                                                              SHA-512:519B4D2E035CF93B0D97C90F06D9D0049BE2105F3904171851DE16A268D817C06DAEA17238A4A39B7CC77632D012E1782415279A4A1F3A366F074B9BC9213BBD
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:start "" "C:\Users\user\AppData\Local\WIPtBriceCKAWgIcBS0bein0.exe"

                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AcYm79bKwGS9urVVZVjxlnOT.bat

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):69
                                                                                                                                                                                                                              Entropy (8bit):4.847745928376849
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Ljn9m1t+kiE2J5X/CQA9FlQv:fE1wkn23PCQZv
                                                                                                                                                                                                                              MD5:D64B1602005BF952F69E73E242904EDC
                                                                                                                                                                                                                              SHA1:989F88E828F5E82FE0C3D816C86865B7448D0303
                                                                                                                                                                                                                              SHA-256:83CF170B418BAECB1C7DFAE5EE1252DED46661B0DC070743251EB532728059C4
                                                                                                                                                                                                                              SHA-512:BEAC6CA4F62B1CEFF36D7593F95A43E442DB55AA1190B9A29512108B2999EB491FDCADBD0DCA08A06930127733E9523AAD1527B07AD73F40CB273A886422C80D
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:start "" "C:\Users\user\AppData\Local\rqCKBzP3c5cie0ECqyDcHMBo.exe"

                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bnux0XctxY2jUEcQFRrG9ED3.bat

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):69
                                                                                                                                                                                                                              Entropy (8bit):5.025494660354971
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Ljn9m1t+kiE2J5uUzH9nWUZL:fE1wkn23ukH9nWcL
                                                                                                                                                                                                                              MD5:403E210F82E7A9C756B1AAD19B048099
                                                                                                                                                                                                                              SHA1:5824085B937CF2401F8574417B7748C2CED2AA0D
                                                                                                                                                                                                                              SHA-256:32661C5D8B3D3D9A9C7B24AB8F66952D7B123032EEA45D44763055B790FB1068
                                                                                                                                                                                                                              SHA-512:2A6F21BF670D2BF9DEB444B3572ACA28ED8E4C4ED5F37EAE08CD6004E7D287B735C85C70F73FF153B006B7EDD2E1A6E0D369DD99A095491EC6572A1D039F307F
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:start "" "C:\Users\user\AppData\Local\KWbVzicuAiSBYHryJZst17v9.exe"

                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\C2otv6cqxQYf5tfWSc9JYFFI.bat

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):69
                                                                                                                                                                                                                              Entropy (8bit):4.840641218294632
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Ljn9m1t+kiE2J5GWlXROsMd10SJl:fE1wkn23GWlBOVf0SJl
                                                                                                                                                                                                                              MD5:BE95F2B2AD804C87148CF6173D7310E1
                                                                                                                                                                                                                              SHA1:92F76C1B23CA082C1CA389C77836825124DC1451
                                                                                                                                                                                                                              SHA-256:6137C83249BD163848305323150222ACDFD03A8631A9918DE92DBD35B32D052F
                                                                                                                                                                                                                              SHA-512:232E043FC90526C5804AEF014000F7C5BE626108F81DD1F285CC6FFE006E2E8FC669AF4705FD1989BFF47AF9A2627D49349F0B6A0C617F05412CDC9EA3E348A5
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:start "" "C:\Users\user\AppData\Local\csCwmOCWNE9UELQ4txTVhw4w.exe"

                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CVcuVNYe8YDJ4yNu7pIFMe6h.bat

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):69
                                                                                                                                                                                                                              Entropy (8bit):4.980285740372887
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Ljn9m1t+kiE2J58/nVujPrRnAdm:fE1wkn238fVuzrOdm
                                                                                                                                                                                                                              MD5:601A93D9A9BF2B72DE849A7789EF6CE7
                                                                                                                                                                                                                              SHA1:A1A691151FE5C40A65F1BCBDF875ED8EE1428D9A
                                                                                                                                                                                                                              SHA-256:C3872EE4E4718828D1C3878E3EB32435CD7CA801E7984FB22B9FBEE90BA46C4F
                                                                                                                                                                                                                              SHA-512:031DF355E0B62006964E6587D19CA94A224A328034CAF4EF03A4F37C56796E20D317E7A0D7290D093698818DF26AB7ABB774ABCC362F89FC74F366344619696E
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:start "" "C:\Users\user\AppData\Local\YZSfYHwWFKrX6Pjkpe42m3a3.exe"

                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CqLkLJsKMzyqpGaqpdD80xX4.bat

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):90
                                                                                                                                                                                                                              Entropy (8bit):4.975147613396141
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Ljn9m1t+kiE2J5IPKWqPC0ClIkdan:fE1wkn23Il90CSD
                                                                                                                                                                                                                              MD5:7FA4C19F84B95A92E4563055B35805A0
                                                                                                                                                                                                                              SHA1:867986703C1DFC1708A6CEDEB5829625CCDAC66D
                                                                                                                                                                                                                              SHA-256:5DA2B537D30187623EF77ABF703D88CEA833259216EB55818AD0079BCA88E0B1
                                                                                                                                                                                                                              SHA-512:3ACCE930E947DE99DDD0A411975DEE18086E9B14409CCDFE0FF9183DC13A652CD9A5E6AABBBC574BD9060D764668F7B62E64162B1182240042A1F8073E1A06BB
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:start "" "C:\Users\user\AppData\Local\m17a3Wi6OxEiO5FsOjI20tNz.exe" --silent --allusers=0

                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DJgk52sDeczUV1lmMmKix3k6.bat

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):69
                                                                                                                                                                                                                              Entropy (8bit):4.979911370098063
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Ljn9m1t+kiE2J5mOOVpdYdm:fE1wkn23mOkzYdm
                                                                                                                                                                                                                              MD5:E17B38BE98DA32E08D32A1D5B0995FC4
                                                                                                                                                                                                                              SHA1:12F2A2D0BB0829BFE10526E9466DF325D493A900
                                                                                                                                                                                                                              SHA-256:B99FA616B1D38F946397B6E2AFC6B07CB143BFF4ECCC762FAC65A2836E98C2D4
                                                                                                                                                                                                                              SHA-512:A94B0954A358B271B082E17CCA0AB12548A6331E9532911790A34F60F837406853BBD83E637EAD3DB506848C199B86FEFA1F6084BD2F178429CFBDCA95EFFC3B
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:start "" "C:\Users\user\AppData\Local\Ckxihb2NQynZLzb7wQqDjQv3.exe"

                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EXyR1877y9OTHbL7SmwL0Njx.bat

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):90
                                                                                                                                                                                                                              Entropy (8bit):4.881743480545401
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Ljn9m1t+kiE2J5vJ98UzGqUXQENHFIkdan:fE1wkn23raq6VyD
                                                                                                                                                                                                                              MD5:594EF770C69D25B144AA379DC2499C50
                                                                                                                                                                                                                              SHA1:239798A6041101E30E90F040E913F0F7E3CDD30E
                                                                                                                                                                                                                              SHA-256:66747FFBB2B212031AC4B3746D96F4E4A00B983D88162E6C7030DD9380382C00
                                                                                                                                                                                                                              SHA-512:04EB5932888156ABE2D2970B8C58D9F15AF786D2FA5A9355608814E4464113E3B258F508DEE9A15980464531B717B13EBBD0EDB740C89369EB17A7E62765374A
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:start "" "C:\Users\user\AppData\Local\JN1IXYA8ssOWcLaqrtfgX1Ue.exe" --silent --allusers=0

                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ft6HRmD3ARCfJ7A7sFRbGBMr.bat

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):69
                                                                                                                                                                                                                              Entropy (8bit):4.811655711048255
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Ljn9m1t+kiE2J5CRdt0GQPj3Fn:fE1wkn23CazPj1
                                                                                                                                                                                                                              MD5:35F077F2FF16B904E39A735290FB4327
                                                                                                                                                                                                                              SHA1:4988864B4E8101E87D6012162CD949BE163C4D8F
                                                                                                                                                                                                                              SHA-256:F3B8458D7B2A3C5D5B316EEFFD3DD712D5BA0D7BA12F6513DA2DB88118F6B27E
                                                                                                                                                                                                                              SHA-512:2DE5D9ABB07F7AAA3E0D47FD513D85C4499DF870C14229585E4C0AEE1A1A922F9BAD4A097089BCD41F1AF3F789B562E8A5FDCF536B9D873D3101508840525D66
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:start "" "C:\Users\user\AppData\Local\gtrlRL8HQLBmCrpj7eGii9RV.exe"

                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I9qlxtKCRbJZBgSVyvQk4qck.bat

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):69
                                                                                                                                                                                                                              Entropy (8bit):4.958030572933904
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Ljn9m1t+kiE2J5Lxo5E/AhdiFn:fE1wkn23dofdm
                                                                                                                                                                                                                              MD5:03069E60D1B7412398E2DBDE72A283AD
                                                                                                                                                                                                                              SHA1:3FD2DE5A7F2BE5B78C21D29FD717FEFA462A9FF5
                                                                                                                                                                                                                              SHA-256:5A6E9C0B72496231BA9B8CF4149590B0FE4F12353DDCEE0EF0946B8B31D15693
                                                                                                                                                                                                                              SHA-512:AE25DF1A10E3DCFF2370FC10E704676C5C6BCFA905478312D47E95C66C70990B81CE56854740100DBD228DD6D828DA9E68D430D661BB71A1B21710E01264C42B
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:start "" "C:\Users\user\AppData\Local\nRdMq8uD8Vn50SShh8GGGF1J.exe"

                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\INrPttZcYp1b1IDxmBdj2E7I.bat

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):69
                                                                                                                                                                                                                              Entropy (8bit):4.782670203801878
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Ljn9m1t+kiE2J5OfPJdkm:fE1wkn23OHJx
                                                                                                                                                                                                                              MD5:C4AF698664E30CBC5174238919C8EE7F
                                                                                                                                                                                                                              SHA1:16B11664A7B4B5F6CA9DF24181A52BBDC203F5A3
                                                                                                                                                                                                                              SHA-256:5FFD689DB683C1841C42A5D0F2D3568DCF3068474B1B810122406E273794C2BE
                                                                                                                                                                                                                              SHA-512:9CEA1215E99702E6A4D85748981F7519F6B9CEB50C3DDE6971C533E3E6DB50ECFC2A45E1DFCF82F7A008AAB59D6525C9267222D6ED123A906EC6317DF5CD377F
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:start "" "C:\Users\user\AppData\Local\kzh8LUeSpUUvzS6kGzWDItYc.exe"

                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\J4OoATuxVsfOKcXUcxOLtc1U.bat

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):90
                                                                                                                                                                                                                              Entropy (8bit):4.900349836553262
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Ljn9m1t+kiE2J5MUtwgmR4XQ1/kdan:fE1wkn23MUCgmR4XkD
                                                                                                                                                                                                                              MD5:586CB271D4FC8D7DD7B838DBF45D1432
                                                                                                                                                                                                                              SHA1:29D0E1D28BD6A7B50FBB41716C218F2ADB2BD3FD
                                                                                                                                                                                                                              SHA-256:47BD872A72D9A8B7F19A8A5A844CBC91E322BB6E18CA85AA2C1E31B2D3BF62D6
                                                                                                                                                                                                                              SHA-512:458273CFE421CEB3E2E90387998F2062AB0EDAD68D2DE40F6CD38EF1488645D5470C4B6563A4A93B87ABED5A0DD6130C4ED810C4869E1D5B4DED480123991EAA
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:start "" "C:\Users\user\AppData\Local\i3cGHUfhs02OIuQ54eKiruit.exe" --silent --allusers=0

                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Kt7mfV03aeWQu4bZPgZ3e2n8.bat

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):69
                                                                                                                                                                                                                              Entropy (8bit):4.88622450855154
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Ljn9m1t+kiE2J5Qm/7iyfMVAc+4AHFn:fE1wkn23Qmuo14iF
                                                                                                                                                                                                                              MD5:C15238CB89877A4F0D24A302D97D5401
                                                                                                                                                                                                                              SHA1:02943679056FCEB0BBFCFC46139F5E7F77355D27
                                                                                                                                                                                                                              SHA-256:74238035E7FED974B27245F384614EB6B3D194EA6C2AA4831895932D230258AF
                                                                                                                                                                                                                              SHA-512:889E4724731779D988F0A32D9AF1D1D7F5590596955B18F912AB0755B307D55E82DCEA23A22DD03F5B9359DA3D00B4A368533B86046F8DA48F77D74244A4DBBC
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:start "" "C:\Users\user\AppData\Local\5CSwXytovRGWzicTtxKeyiOA.exe"

                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MnlURaBerk6x1crCbiGPEJWc.bat

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):69
                                                                                                                                                                                                                              Entropy (8bit):4.990851768680142
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Ljn9m1t+kiE2J5GRs5J3s2uSVsn:fE1wkn23Gu5sTSW
                                                                                                                                                                                                                              MD5:0E031FBB059BED22F18650FAFE8B7017
                                                                                                                                                                                                                              SHA1:9CDA73AA555CC5B248DDFEC1A2DF77CEE1733D22
                                                                                                                                                                                                                              SHA-256:A1757F4A25D50980C8A468C99CE4C05CF678BE195A274297CDD3DF9E6232C87D
                                                                                                                                                                                                                              SHA-512:2151547620E2A34ABE83E4D78D7DE4D51F0567FBBBE9D5EAFBC8AF5331DCD9EB8CFAF2F628AEA4ACCB003C7F2EF1AE88E8DAE7AFB2C853F6C52404DA8032A601
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:start "" "C:\Users\user\AppData\Local\cOM8IUNCP0DFnISRQRmA27gl.exe"

                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MygBvANjLf1AX31Xj7nu95Ot.bat

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):69
                                                                                                                                                                                                                              Entropy (8bit):4.909552631369464
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Ljn9m1t+kiE2J5ggIMrWamJFn:fE1wkn23ggIMUJF
                                                                                                                                                                                                                              MD5:93A138D238BFF7A86CE495711BA9B068
                                                                                                                                                                                                                              SHA1:E42E82806E4B4E1C957B86AFA0BFFED652A9AD78
                                                                                                                                                                                                                              SHA-256:17641DD358A59A5265BB26CD334D3D3482A2AADC9AA85A728541637C066C4820
                                                                                                                                                                                                                              SHA-512:715EC8DF6E8B99A4770457937A61EC25C172FFB8509DB52A8CB55C20CDC40878E89E10977EC707D9193CD60971B43D042F86536E4320FB0B08D2615459F7B626
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:start "" "C:\Users\user\AppData\Local\EEmi2L6GuCPkhaixWFWgtXmC.exe"

                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NZRD5waRyhBspSGbBIm0gdm3.bat

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):69
                                                                                                                                                                                                                              Entropy (8bit):4.927597740033762
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Ljn9m1t+kiE2J5r3EUEhTeTAHF:fE1wkn23z6TeTAHF
                                                                                                                                                                                                                              MD5:64B5DF2E1DB3A480C878D52C1C992BF4
                                                                                                                                                                                                                              SHA1:A15D7C4316D83F55311966179625C2CEB3B99EFD
                                                                                                                                                                                                                              SHA-256:469EB98CB151AE5D335E033E373DDA21F320129E8EC5029AB4313F8A6058F26B
                                                                                                                                                                                                                              SHA-512:C966A44A37051056E53ECC75A93A56DAD02BAB16C8D4B9CDF769EACD200EA14AEAEE8E98B4A8596179A51EF09ABCC0C3C6BABD5DFEBB87F474BCA72CD54C3F6A
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:start "" "C:\Users\user\AppData\Local\NOigbqKnljqgR3qaRHEw5cN9.exe"

                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NgmAydJthTuDbZVpKKk96QRy.bat

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):69
                                                                                                                                                                                                                              Entropy (8bit):4.893329218633757
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Ljn9m1t+kiE2J5KYLz2wW+HzXAdm:fE1wkn23K8pz4m
                                                                                                                                                                                                                              MD5:F96C033616D35EB1996135527DC353FE
                                                                                                                                                                                                                              SHA1:CDD68F1DD8DEA1CE1B9C16E4C9E56FB0D8B4457E
                                                                                                                                                                                                                              SHA-256:0DE4E10BC037B9E4DB70607BD0224B8A4EA3C784C986E3A739FEB87C54B50F98
                                                                                                                                                                                                                              SHA-512:431A1A008AEB37508C851FFC5037AEC1123E287DFC8D791A5E7E90B1A478698032C3E99E0971E2DA285C7D0357D2CE45177B7B02F7CB22ACF11F35B89AB64EBA
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:start "" "C:\Users\user\AppData\Local\oQDwIFVWS8CDFis7e7hIkdVf.exe"

                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PnT9ZbC86TXnf3ynIc9924V5.bat

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):69
                                                                                                                                                                                                                              Entropy (8bit):4.83680552979477
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Ljn9m1t+kiE2J5Bs8xUEgxAHF:fE1wkn23vxdgQF
                                                                                                                                                                                                                              MD5:2F2D51101E4CA640B30904FECB1119E3
                                                                                                                                                                                                                              SHA1:7BE9670013217B50F0B9F45253A53E2ECE9AC1F9
                                                                                                                                                                                                                              SHA-256:4F8CD8BD8B0D1D8F4DD7750A21F2D4B492A91ADBFB28AA032B1C74AEC828751D
                                                                                                                                                                                                                              SHA-512:25CF2FC881D2AB8E7E19E95303C40066624C93D5ED9F8EB5ACA3C00E29A709E8041F825BFD0EE7C124955D458AE9009692CA424364F0F84FFCA53D5D85248B69
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:start "" "C:\Users\user\AppData\Local\dIzcszODhP85SLHp5gDwads1.exe"

                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Qbfh1kEfJzQeidHl0GsAyFET.bat

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):90
                                                                                                                                                                                                                              Entropy (8bit):4.990170425876665
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Ljn9m1t+kiE2J5Wkkdan:fE1wkn23WkD
                                                                                                                                                                                                                              MD5:EBF20D9CA792D65B531C46B389D90B50
                                                                                                                                                                                                                              SHA1:B72828FE6955B6F4EFA7945DE13EE0D8BC964274
                                                                                                                                                                                                                              SHA-256:BEEE656199FA781F42C5BC72E9454D075BD14F5A62288DCA2659923D3A038578
                                                                                                                                                                                                                              SHA-512:563F9C5CD4FB3671DD89997F4D5775AA809DE415CA57E39C268CCB385D6D5C54FA38734C70A744AB0C8889A9D76FFFCADACCFEDC97B23CB1AF2D0123BB03CCFB
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:start "" "C:\Users\user\AppData\Local\31Q0tfhZ3ZbBeSnpH53Q6cmR.exe" --silent --allusers=0

                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VgsxHcqWGMZuJZrJUV5SLHQ3.bat

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):69
                                                                                                                                                                                                                              Entropy (8bit):4.829700819712552
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Ljn9m1t+kiE2J5JdUWDG9dcv:fE1wkn23TUWIdcv
                                                                                                                                                                                                                              MD5:02ACFD69D4DB47D6FF69B0B17C3D15D8
                                                                                                                                                                                                                              SHA1:14DCE69ED359EC5E81604B04239B54EFC9D7B08A
                                                                                                                                                                                                                              SHA-256:9BB407AA11A791975B758AF01299467B1D7CC7EC84A0EB2D7D349698B7711A44
                                                                                                                                                                                                                              SHA-512:3E40B79E3C37E2AB920BEAA6D93FFF3EE186FA23ABFD021EE0D08545298048866B5DC7819D4D3A94BA2795229E3DDF21D8C7DF6267C6D46FC0030368E53DB0F4
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:start "" "C:\Users\user\AppData\Local\lxJL7FOaOc6Tkk0XNttI4ctE.exe"

                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\W8THWYViNOUp58e0uu5wCwhd.bat

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):69
                                                                                                                                                                                                                              Entropy (8bit):4.958030572933904
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Ljn9m1t+kiE2J50wNMegOyoW:fE1wkn230wNIO7W
                                                                                                                                                                                                                              MD5:BC16BE85619FAEE2B2DB1C4D4820DD17
                                                                                                                                                                                                                              SHA1:B680FACC723CEEC4B30BE6248D8DBF23AA9987B8
                                                                                                                                                                                                                              SHA-256:E6CA7138978DF2458B434865C39218EE94C5694592CB17BD3020862F7AF29F1D
                                                                                                                                                                                                                              SHA-512:2FD326A89D40715D26715866025E340CE8EA92B7AA830F80FBBB37488F7C2CBFA34630D79A081822225B75D1EF264282560509F92FFFFA04BB3786CD76CC6202
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:start "" "C:\Users\user\AppData\Local\QULdLniTDqWIS6ivnfEkWMUZ.exe"

                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WHd1pNJmpFoM8sqoNNUE4tf3.bat

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):69
                                                                                                                                                                                                                              Entropy (8bit):4.915210015797916
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Ljn9m1t+kiE2J5dy1sS+tqsVF:fE1wkn232+tq+F
                                                                                                                                                                                                                              MD5:981D12B8C8C51E6250930A704CF39509
                                                                                                                                                                                                                              SHA1:BA813E51326BDC6FB7767E87E9DBBA10187D5130
                                                                                                                                                                                                                              SHA-256:81DB71254A368364AE992C5A9F2BAA75E3DF3A6173772BA2EDE87F01C14F7083
                                                                                                                                                                                                                              SHA-512:36772A137A7755F7F607EC6AEFDC66585493F83F5BE3FA0FA6F9D8B08C45D2B70786AB351633D7CBEB15DB77A1B69127734A879D888B3F56545A0DA7BEB03694
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:start "" "C:\Users\user\AppData\Local\xWO4HdGMj74aDnNwcibeJHOS.exe"

                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WsK1YQ9kvBcxOEKHHnifbuin.bat

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):69
                                                                                                                                                                                                                              Entropy (8bit):4.99795647876236
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Ljn9m1t+kiE2J52Q3LMn8ifk1El:fE1wkn232Q7UhfkQ
                                                                                                                                                                                                                              MD5:8670F0041C3CB0C3FCE18D7130E77994
                                                                                                                                                                                                                              SHA1:397566A20393BA4B2E00B744C31A6F05F603B53B
                                                                                                                                                                                                                              SHA-256:F90E2EF678834B0A90EEE92388864B044C958B7FD78ABEADFBB1E73F41B31233
                                                                                                                                                                                                                              SHA-512:A812BECA1707AA6345DB4D1454B405330E5D51794C30210F5FD3E1FE583A10F0253713E3EE7C0D7FE4BBE10925484D558A4EBDBB715ABC15EADA1C46BD44C0AB
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:start "" "C:\Users\user\AppData\Local\SuRnIHuWYWEWXFXLcVP2Or9Q.exe"

                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XFHdSFO3188VoWv0QrQcEWtV.bat

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):69
                                                                                                                                                                                                                              Entropy (8bit):4.830075189987376
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Ljn9m1t+kiE2J5docjV39OyCxc6m:fE1wkn23njV39vyhm
                                                                                                                                                                                                                              MD5:3058A221674575459ACE0CE95BE4DBF0
                                                                                                                                                                                                                              SHA1:54067866BFF90AFE2B643EB756C4EE431FCD490D
                                                                                                                                                                                                                              SHA-256:D343DAFFF4E1D89E40F600A9E8E78D86228C7BD1BEC0D2993E7A3054672A6017
                                                                                                                                                                                                                              SHA-512:E8D9B84BB3A8A693B1DAB418C10D22495E6B11D20759349AC1DBFEACE061074F287C648E2288303BA9EE8D5EBCDFC4E56FD269D096B75BE356E9411660A1FB11
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:start "" "C:\Users\user\AppData\Local\xMynrpRscnCMe5EhOaqNgT9P.exe"

                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Y3oAYVErrIRWXBbeGz7YmX13.bat

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):69
                                                                                                                                                                                                                              Entropy (8bit):4.824043435284101
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Ljn9m1t+kiE2J5xdVo64XdAln:fE1wkn23bWtCl
                                                                                                                                                                                                                              MD5:DDDDEF1DBA5877933A7764DA9DB5592B
                                                                                                                                                                                                                              SHA1:FB8C69CCEFE76A04DFA8E6A13F7DB84A02A4B76D
                                                                                                                                                                                                                              SHA-256:B374775634BB2D6CCA083EA1DAD74E976BA58AFCFDD25BCAE19B5AE0CCC5B2E1
                                                                                                                                                                                                                              SHA-512:59FC080577D9AEDF71ED6A54D77240BE05702282308EA165ED1732F0B00EC110E0CBE03EA594D37379762D52BF620700E8EA109ACB8E74489BBE197C2CA39B30
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:start "" "C:\Users\user\AppData\Local\TxcN817CnpQUUQpmxVzV0mFT.exe"

                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YeU8iF6BbqbTpHWTeh39oBMV.bat

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):69
                                                                                                                                                                                                                              Entropy (8bit):5.030777674508598
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Ljn9m1t+kiE2J5MwUXBiT+H:fE1wkn23MwUXBOK
                                                                                                                                                                                                                              MD5:98EF7BB7776C965518AB4835123EBAA0
                                                                                                                                                                                                                              SHA1:5EC0EC18259EC6F70313104E98B77ED2712C7310
                                                                                                                                                                                                                              SHA-256:46BB2042887AD28A2ACCFFF0714833DF2EF9EE629D2BFD8E0FE7E341F352723A
                                                                                                                                                                                                                              SHA-512:A9176A66291D6AE3EC299B14066EF3435A074749BBBA9F2C0330F7DDEFB82C43CEA5F095C1A18B9A99BFF2BD9B66E59A1B700094554603CC527CA06C690C6229
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:start "" "C:\Users\user\AppData\Local\iUqjJmkpzyvK9tYYVEHTZp1W.exe"

                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZVwZaD0pkoPBTQLpyiUwKvm0.bat

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):69
                                                                                                                                                                                                                              Entropy (8bit):4.956583247280137
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Ljn9m1t+kiE2J5ETxpFRNH69Dn:fE1wkn23ETxpFI
                                                                                                                                                                                                                              MD5:397E86D53FBBFBE2ECBA1902BB88C35A
                                                                                                                                                                                                                              SHA1:9846E7CD1D2E359CC83BAA99FDE6890961ADC123
                                                                                                                                                                                                                              SHA-256:669E656C8D4A01EEFDF73A0BD322258FBAD911ADFA5EA4A8F86DE87B6DC19CD5
                                                                                                                                                                                                                              SHA-512:441E9BA32066F82577044BEADF9B05BFD0EE1C489D8AF387BA24479A917CE2BEC230BD3D1D32CBAF0139BFEBE0CDF3E5E1710B04039B78F621F9835087D9480D
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:start "" "C:\Users\user\AppData\Local\a84xxA52gOFQbQH4hbzYi5Xz.exe"

                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aCZd0jUEZLTcGXCh2D1mXI8Y.bat

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):90
                                                                                                                                                                                                                              Entropy (8bit):4.974682680285403
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Ljn9m1t+kiE2J5u7CyAY/QiBLIkdan:fE1wkn23u7C3eqD
                                                                                                                                                                                                                              MD5:6454635BF7F8FA6964482B9CAB1EE18F
                                                                                                                                                                                                                              SHA1:5C53DF1D19F12103224C7814CCC4541958B446B1
                                                                                                                                                                                                                              SHA-256:AEAE37FF708BE6D25D6D05C6577BE1F54759E96C15BF5D2D8736041D982758B6
                                                                                                                                                                                                                              SHA-512:44F51C2A28F0C580EE39DC652BA4CACDAE118C89937AC7CF5AE10E7AAAEB85FC753D61EF017BBD08BE6872036EC85B9DC79F56F0DD32D95FD84B2990B75EF651
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:start "" "C:\Users\user\AppData\Local\KV2qLRPax2onnz5Ndu1Z5G5q.exe" --silent --allusers=0

                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\alXN5bQawMu1k2uk8dHN6LdQ.bat

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):90
                                                                                                                                                                                                                              Entropy (8bit):5.091497264529594
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Ljn9m1t+kiE2J5/QWdsg0sIkdan:fE1wkn237dsvpD
                                                                                                                                                                                                                              MD5:C993E2AC12076A3182A96AB22D701AEA
                                                                                                                                                                                                                              SHA1:141CB68D401CB54D696AB51A06D9DEC16E149A4D
                                                                                                                                                                                                                              SHA-256:12E8C5EE8AD2B52D8DC8CDF8A4A049DCA0A8BE119119875CFDC62494C4EB380D
                                                                                                                                                                                                                              SHA-512:7BFC52FBE0B74A22C27D5FC08F2BCF63164FD28BC51AB173682461963E01D11E8C9DDB232C6028C7CC5D442E9145997B50B0B173203848DB697A7B35BD3A2740
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:start "" "C:\Users\user\AppData\Local\Z53Wf0X0IoS1KV8zvVeoh9Jq.exe" --silent --allusers=0

                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\boo8FP0AhS3bBXLUBRbBJy9i.bat

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):90
                                                                                                                                                                                                                              Entropy (8bit):4.944616365097667
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Ljn9m1t+kiE2J5dTRdM+WOIkdan:fE1wkn23RHM+WnD
                                                                                                                                                                                                                              MD5:E3554E2B09E905B91BB9892B4DD6D142
                                                                                                                                                                                                                              SHA1:3DAA07301B88F936CDD643B76E6281384BFCA77F
                                                                                                                                                                                                                              SHA-256:7084013E4344ED7F4D73C1F0C05EC73CF496D05AD499B8431A0E221865EE43E6
                                                                                                                                                                                                                              SHA-512:6A32897FDAAEFEF3063A2B3C13F3EFFBA2077478CE4FE8541F629C37C774B31C4293AE6DE460653936DD254369973A03A13160C3FCBDED7AF5C223A4369F0E51
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:start "" "C:\Users\user\AppData\Local\x6grxPSTyIeA8EPDMgptrwYO.exe" --silent --allusers=0

                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cioAsxrEgULT6QllewrDjFdd.bat

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):69
                                                                                                                                                                                                                              Entropy (8bit):4.967523645862217
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Ljn9m1t+kiE2J5PeudcvtNsn:fE1wkn232udcvtNs
                                                                                                                                                                                                                              MD5:D4F2D3FBA92AF3A2E2EBADEB03AD5440
                                                                                                                                                                                                                              SHA1:90E9D90C525C143A1E2F6EAFF9D580FE13C124A4
                                                                                                                                                                                                                              SHA-256:DCAA01DC08614FBA4928CD3BB3B7A257827932C34B77C86E503B46539D30A569
                                                                                                                                                                                                                              SHA-512:D76C44DD5AB1734F8F405CD44FF92CE75FD7507A411C89C68EEB9D4BA3624BC821881246B07534F1A10C79AAEBE802781CCFC1241CA256519B2A63D12F07E352
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:start "" "C:\Users\user\AppData\Local\jPR83WX1aF07mPj541WJbft7.exe"

                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fCajoF0uziKOHWOtsMKiSmkf.bat

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):69
                                                                                                                                                                                                                              Entropy (8bit):4.818760421130474
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Ljn9m1t+kiE2J5MddpyuPyMJF:fE1wkn23MtyuJF
                                                                                                                                                                                                                              MD5:C1A3600FF64BABFD9D6318762D8796ED
                                                                                                                                                                                                                              SHA1:6F74D710AED480C58C35666B3488C238DC624089
                                                                                                                                                                                                                              SHA-256:8751BE61191D0F7D86DF260683221969A80A9C4F9843A112601047B0B90F3C90
                                                                                                                                                                                                                              SHA-512:5703E9C8D2C0429C96D2AF03E03D3E70E7C1ECA9E3E3D5D4258DAB5CA3C00E8161A9B3A37A417458492328699B7EBFC210DD3932A541CE205F80B0E9D9FEB03C
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:start "" "C:\Users\user\AppData\Local\iiOuEJn1yBaeJOKc16avXLXi.exe"

                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hqngqO4IdouWvJHIpDnLTPg5.bat

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):69
                                                                                                                                                                                                                              Entropy (8bit):4.976075681598201
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Ljn9m1t+kiE2J5cLlfdYWm5Fn:fE1wkn23cLDw
                                                                                                                                                                                                                              MD5:73ED654913554AD55E66B9EBFC1D0FFC
                                                                                                                                                                                                                              SHA1:3B47E5E1B39DE02D1B27D8F78BF2210238CA70A2
                                                                                                                                                                                                                              SHA-256:CDCABF9A665D07C5051742FD9EEDD1248EA88F4AB6C1112AB7C5EA885F82405E
                                                                                                                                                                                                                              SHA-512:1B7FEC5311E4050DAB4989AF58CB1B9AA40D6EF12240DE9A17A5E5898009B8D81CBD5E7C92B6B31C548C9B36451532DCA8590E325082CAEDB84C3DA98B620152
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:start "" "C:\Users\user\AppData\Local\ydXU53ROIY0b9rjoj3B1m3C2.exe"

                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iV9J0aMa18AmH41d2KxPgrGa.bat

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):90
                                                                                                                                                                                                                              Entropy (8bit):5.008055320037074
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Ljn9m1t+kiE2J5vtSrt3Qykdan:fE1wkn23VSpgyD
                                                                                                                                                                                                                              MD5:4B70D1DB4813C55FB4A363876565ED26
                                                                                                                                                                                                                              SHA1:075F479BCAE23B0EC04A0223F76458ABA88C2891
                                                                                                                                                                                                                              SHA-256:85C4B684B86FAC26DAD1A438BA74500F639747D134FA0A521E8E94DC84EE79BF
                                                                                                                                                                                                                              SHA-512:557E2EC680136F3718F53D4FC3F840969669AE46223AB303F028635D62B045031151A1EF94B3565BD83E4277E8B43C2AA44D1DDB32C9A1EACF8C382562A491F2
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:start "" "C:\Users\user\AppData\Local\JeZCwGu4yuVGGxFvnw3BIkJ1.exe" --silent --allusers=0

                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jC9hytOXxSJLUIWk7OLwYELs.bat

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):69
                                                                                                                                                                                                                              Entropy (8bit):4.920493029951543
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Ljn9m1t+kiE2J5Ipkhv443oF:fE1wkn23I+hv4HF
                                                                                                                                                                                                                              MD5:2390FD26BCD1BC40D1FA85E43F71AB1B
                                                                                                                                                                                                                              SHA1:9BC62B2F6D8B80F890EFEB68F5557BE2C4284A61
                                                                                                                                                                                                                              SHA-256:F2C445558CC7881F7C2ADF4AAB3DCB44F7FCBC1F15BE01A6D52DD5223BF4EEE2
                                                                                                                                                                                                                              SHA-512:98F007E60EA2156CFDC9F87B3EFC32A5A2B4CF70449C26919216983AD1DE9ADAB269AD73534D28102B9B04B92BEA6E07831942406FF883F09E861C187C812C84
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:start "" "C:\Users\user\AppData\Local\mLelSKT2LDJXIBhhiZbtJLRy.exe"

                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\k2JDJYYF97BxDjJvdjfGyjtZ.bat

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):69
                                                                                                                                                                                                                              Entropy (8bit):4.938912508890666
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Ljn9m1t+kiE2J5hVTJDjf1T0em:fE1wkn23DTNmem
                                                                                                                                                                                                                              MD5:3544206DE938E40320F70D9104DAC987
                                                                                                                                                                                                                              SHA1:19882E03D165F2B4595AA0C0D3ECF52547D79AFD
                                                                                                                                                                                                                              SHA-256:D2B0ED00404D315F95B7C69898A1AC18DDF846D7B762BBF3D752ADED04BB25D7
                                                                                                                                                                                                                              SHA-512:64CB41415EAF475FC4A7DEE7FAC78B47F7F3A616979E1F7D2957E4A02735A06FCB54433C0122A1511BF0188B9D443716BFE5E43C4478150C099F4E2E2704C0D2
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:start "" "C:\Users\user\AppData\Local\D0v59fae1RRLyzPSbsQoGGZK.exe"

                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kubdYrhB0F7KtjUXb85yOtnD.bat

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):69
                                                                                                                                                                                                                              Entropy (8bit):4.865791037041147
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Ljn9m1t+kiE2J5uF/HkUJL4mn:fE1wkn23u1HNL4m
                                                                                                                                                                                                                              MD5:D38749039D7A559B3F40C8328993309B
                                                                                                                                                                                                                              SHA1:5CBD72A00372BC1B1DC059EED03AB771E46F83C8
                                                                                                                                                                                                                              SHA-256:D917685129AB7E29BB20B410A9F19645D6EA30E08150786B7D54FB4F77DB4C33
                                                                                                                                                                                                                              SHA-512:D8F9DB6E2A8ED1E91B09B9BCF082DA04BEB31739C75025BE5E6BF045ECF8FB263CE4C33658A5C624F3F24AD95E302085DFF5C66BE97FF9905E7AB8FC8CE79425
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:start "" "C:\Users\user\AppData\Local\KZrOTs6FcYbq3nj2hpYsaJil.exe"

                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lnqdr1oc3vWZb0AM6GqrJePb.bat

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):69
                                                                                                                                                                                                                              Entropy (8bit):5.037882384590816
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Ljn9m1t+kiE2J5B8iH4vF:fE1wkn23eF
                                                                                                                                                                                                                              MD5:448E44C116955CDCDE9193EE2BBD9118
                                                                                                                                                                                                                              SHA1:23BF1974A51BA2BD8216769EBDCCD3571C09E760
                                                                                                                                                                                                                              SHA-256:572A0B28296C282AA9D0F304BB8F242619C9A3371817F610E194C19FA657C47B
                                                                                                                                                                                                                              SHA-512:3DEB99E8340F7F9842D4A60F7B902E36A4788E61CC89BA808216703058B8454219C42D24F3784EBF37A7B14AF9F5354610F9B039A170802A611BF89BE3A8051C
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:start "" "C:\Users\user\AppData\Local\dYzlQyYiVhnqA3GhRDFvHDg1.exe"

                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lvJmufARuJlw0oQi9mXpQ9k4.bat

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):69
                                                                                                                                                                                                                              Entropy (8bit):4.961866261433766
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Ljn9m1t+kiE2J5DVDr3KJHFn:fE1wkn23JqJF
                                                                                                                                                                                                                              MD5:FF09A36941705506B5EFFEB79D72106B
                                                                                                                                                                                                                              SHA1:3A4AA768FD19EA9F00EB8F690D2FA8F0E9BFD2AC
                                                                                                                                                                                                                              SHA-256:88EFFE11461B8581EF4487CAE30A8427432488A5F81CDC98E4B324599F119FE5
                                                                                                                                                                                                                              SHA-512:789354A825A7839C7AB437BC47852A8C5E7E08C676EDDCEA2C4AD7817A2A17CFE142607F8D2C9F947A9B775013FE33772B646D26309300B30155BA7BA3A634A7
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:start "" "C:\Users\user\AppData\Local\f0h4XS72dTppZnfmwBjhUBEA.exe"

                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\m35TgMK4wpj8LJ6jgGf2Xw2Z.bat

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):69
                                                                                                                                                                                                                              Entropy (8bit):4.778834515302018
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Ljn9m1t+kiE2J5rcTmDpGQAdm:fE1wkn23BDcQv
                                                                                                                                                                                                                              MD5:CCDA3466887E9406E299AE01A972AB9A
                                                                                                                                                                                                                              SHA1:FBA7AB171AFF76249F25CA29B689C439F8A29BD1
                                                                                                                                                                                                                              SHA-256:DCAAD3745B98F4A61C61D5FD11DAF4597EC9C1EC72BA8D6433B0FB7B194CBB63
                                                                                                                                                                                                                              SHA-512:C63F9D3E11083F0649AA1A2C3FE5B42FA83DAA5C56DD5799D27683547375D702981C92B87B3E6BE832EB0825C24955261154ABA6D4B20381B181DE7FF3FFD336
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:start "" "C:\Users\user\AppData\Local\N96vu2CQjxii1alDjKixgxro.exe"

                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\moQfGiqyu6YwVfcrFdZJ5YnD.bat

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):69
                                                                                                                                                                                                                              Entropy (8bit):4.944195523044294
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Ljn9m1t+kiE2J5qfQ1uwNWtthkmn:fE1wkn23q6uwN47km
                                                                                                                                                                                                                              MD5:6C429A440A57158BB1B14649468AE95F
                                                                                                                                                                                                                              SHA1:835D75094802DDAB862424FD924D7BD2394F14CC
                                                                                                                                                                                                                              SHA-256:EED95955FF211D2D8F97104799116B11F9F0FF7802FC0E2E83D65CEF552BA77A
                                                                                                                                                                                                                              SHA-512:3573B236B667DF63CB16F5B6CF971C8FE9807C5F8B04CC092E8AEC1E541ECA7A533EBF2B7684D7DD197F9E2C05D64E08769D6834038EAD281D9B89E27AF85E6C
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:start "" "C:\Users\user\AppData\Local\OzuxsP18idUhxNQxYYbIiZFx.exe"

                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oihjzJdDB6SwjKqgn4xLpgF2.bat

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):69
                                                                                                                                                                                                                              Entropy (8bit):4.83680552979477
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Ljn9m1t+kiE2J5WMSOqlhrpEBJF:fE1wkn23WMPq7SF
                                                                                                                                                                                                                              MD5:49F5F472CE9FA5328DCB345E60590CBB
                                                                                                                                                                                                                              SHA1:2BC1E628E7B8F6A54C007CA20EEBB922C3C88071
                                                                                                                                                                                                                              SHA-256:483816855E2B57F9AC34DA2C0014B10E0081A3544FE0EEFDA0F6506847980E3B
                                                                                                                                                                                                                              SHA-512:3B876243535E4E29405A8B260C11231D94D85D96633093C2DD18881D1025834379CBC0B457480DDBAABC410E06A2441F90E74504F187F75FC827C2FF5AFA1D8E
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:start "" "C:\Users\user\AppData\Local\si8fAgQZyD6Cx4plDNMQadak.exe"

                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\olGMw8ij2FLh3ZKyyQztgUiZ.bat

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):69
                                                                                                                                                                                                                              Entropy (8bit):4.968970971515983
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Ljn9m1t+kiE2J5USPR11Tq0gL4iF:fE1wkn23U8R11GL4iF
                                                                                                                                                                                                                              MD5:0A03A9A96452B6A0B25B4015BE88661F
                                                                                                                                                                                                                              SHA1:2B6D29762E2D5BDDF894C4EF9C206F426C447F71
                                                                                                                                                                                                                              SHA-256:F060A715AA1606675DB6EB63F4470E1EE8ECB844C89D256F517A73469E4852FA
                                                                                                                                                                                                                              SHA-512:72644C24C7F59D1F44CF10572C1D39D2D4CFD775779956C5DC88548B778DE4B720F6572387FAFA743E26E0D196DDB8DDCB6866CE64622AEABCC9C0E5E5EB99A2
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:start "" "C:\Users\user\AppData\Local\q1Wrkjlqz870PPzT0bIAuAXE.exe"

                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pPDwres8UiyP6hmT2n6yLn7l.bat

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):90
                                                                                                                                                                                                                              Entropy (8bit):5.036367335666441
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Ljn9m1t+kiE2J5nhRPXzgzR8kdan:fE1wkn23hRfM98D
                                                                                                                                                                                                                              MD5:FDD717164E5E1264FAEC51EEFF596E46
                                                                                                                                                                                                                              SHA1:882476874193763260C9940EC908578924F91782
                                                                                                                                                                                                                              SHA-256:E36688F2074649327FDC8A33A1BBBD32CDEC689A796573BD299472CCE1C9DA6E
                                                                                                                                                                                                                              SHA-512:0BED92E32453ED265724775CFE837D84B7714D5A500EB15640E6703934645F25EC19357E53ED752A25144E334CB708063688DF4723E6E8547E8FAFA079F2B6B5
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:start "" "C:\Users\user\AppData\Local\BScYPWRXjjJsm0UZKd8ZE404.exe" --silent --allusers=0

                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkqRrg5iWYbcd6JdFTMqN4du.bat

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):69
                                                                                                                                                                                                                              Entropy (8bit):4.985568754526514
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Ljn9m1t+kiE2J52KIbcmD1VIdyrl:fE1wkn232TbVIdK
                                                                                                                                                                                                                              MD5:8822A59D0EB652A6A7F279D1801ADBCC
                                                                                                                                                                                                                              SHA1:D9120F4C346FB6508DA7638225E88579B8CA5398
                                                                                                                                                                                                                              SHA-256:684EFD076D2153B165EA5251C91D2C9DE7B8067DC999F41ABE28234BBB394667
                                                                                                                                                                                                                              SHA-512:425D3C22C02AD88CD5429A210D57BBC12DE2BEF6CA91C7FB3DCC757F0CC6E0BA181DCF17CC3ED93F8C3DFE5A7D14A84B2FFC8D8641B6DD2FAD89D4B6440566B6
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:start "" "C:\Users\user\AppData\Local\S8ELmP46wfy25sPQImx4dfKP.exe"

                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tAZVngHhHPzgcFHrRcS9MvT2.bat

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):69
                                                                                                                                                                                                                              Entropy (8bit):4.76462509513758
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Ljn9m1t+kiE2J5SGeUXohiF:fE1wkn23SGFGiF
                                                                                                                                                                                                                              MD5:832060E5AEA241FE0DFF2E1E6751C5BF
                                                                                                                                                                                                                              SHA1:A59918B3F9DA4B345D9D9D25FA3781C776D0F536
                                                                                                                                                                                                                              SHA-256:35ECA2F81BEA8D2927F8E0ACB070506609344C6F7A5E335BC3A014844FA2A41B
                                                                                                                                                                                                                              SHA-512:B53F69924DB6B7381EBB0542DA06EBBBDD000597DF05BD97DCD82292DB4EC3CBDC8EE2043DDFA4AE0D58AE4387E9E2FC92B48E5B5763B73791172FE91AB79F8D
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:start "" "C:\Users\user\AppData\Local\7cokQoA6j0WDpV84Xp72tQca.exe"

                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tlcr68YHXdDJjhyT7wrqm3xM.bat

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):69
                                                                                                                                                                                                                              Entropy (8bit):4.955135921626371
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Ljn9m1t+kiE2J5rcVf0dRSJrUHAsn:fE1wkn23+0d0JAgs
                                                                                                                                                                                                                              MD5:C9BB8F5918EBED365D71503EC58558F7
                                                                                                                                                                                                                              SHA1:2DE585A26B7C952DFAC8094C1C4348AECA09DE63
                                                                                                                                                                                                                              SHA-256:E6FAC012A1F70FBE59240822E7E31C82DE68FE8FF49176F7DF6EA5ECB140D684
                                                                                                                                                                                                                              SHA-512:FE205AB577D41F38CCBA6BCEB2C2CC308F7A4D89E5E30C83746CEC8A650F1E23522919AB1E9DC1E21C82C45446887D5766C0A28DAB7B505DCEA2D135A42D9DF8
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:start "" "C:\Users\user\AppData\Local\N9QaRzQ0AfOLtw4JsIq3BGlx.exe"

                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uSsGDdtTis23IdAFsKMDjhvK.bat

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):69
                                                                                                                                                                                                                              Entropy (8bit):4.898612232787385
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Ljn9m1t+kiE2J5TBE29ISlUQ9VLNHF:fE1wkn2362GYzVLNl
                                                                                                                                                                                                                              MD5:5988876CD52881743DAF7911DA95A3DF
                                                                                                                                                                                                                              SHA1:85B9699C3BF7E78EC806F14732C9765B0F455DE7
                                                                                                                                                                                                                              SHA-256:7607B22440FBAAF22DAEEB366AA076967B4ED682B33FD4F134AAD3E321DCAD9B
                                                                                                                                                                                                                              SHA-512:2CE26DE06620FB98C40880E023A45A49B05E0BE61ABC9FF1C69DE4C8BCE93F907D6C4C9723D85A5851E2D9B3191B92075FCA97C050707A3EC484F3C1A3D378BD
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:start "" "C:\Users\user\AppData\Local\vRRDKxJPSQaL9EAwTnxxq5Xp.exe"

                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vr4X7SKAWv4hdQph3V65g9Ue.bat

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):90
                                                                                                                                                                                                                              Entropy (8bit):4.847804770406588
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Ljn9m1t+kiE2J5UygyIAN3xPyQRN+Idiykdan:fE1wkn23UybrPNN+IEyD
                                                                                                                                                                                                                              MD5:5B3CAFEA753D02262382783E2E9BD99D
                                                                                                                                                                                                                              SHA1:BDA655F52B74FE1B58772A92752B12333701FB71
                                                                                                                                                                                                                              SHA-256:6874A267B78E75BE807092B437AE5E1A545BC7AF59A56A2175B065B827A7BFCB
                                                                                                                                                                                                                              SHA-512:104CEF5181F2AE3A3853A97C2B473B175272F6B240C9C991807D2CD32DD5A118C633C9BECFC25A75C4C727413544ED8DA0DF7B70E8A9909440275C1A5911CE53
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:start "" "C:\Users\user\AppData\Local\qWJzemjmehRTjWu4hQlmexeK.exe" --silent --allusers=0

                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wgrTK4F9BP7bp4UxruSjPthW.bat

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):69
                                                                                                                                                                                                                              Entropy (8bit):5.003613863190813
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Ljn9m1t+kiE2J5SWsCsMXOeUV0Cl:fE1wkn23SWsFMeeML
                                                                                                                                                                                                                              MD5:FEB70876557465013DD11ABA57B031AB
                                                                                                                                                                                                                              SHA1:ABA7972A3A136B25FE61B56BC5778E563B683755
                                                                                                                                                                                                                              SHA-256:0E3B404989748EAE51D831576BE56CBF9CE4AFA0303269CFC2ED4FF04CE8B24F
                                                                                                                                                                                                                              SHA-512:0AEE11BA17F4FE6AE88A58F6E7AFA489AEB2FF52756D9571C7BEF09C3ECF750E2E9CB7D838B83E3654A278C4F2771E4E1E402292FA47EF7797384640AFF2196C
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:start "" "C:\Users\user\AppData\Local\ws45TNfHbiigh1rlfu2kvwqp.exe"

                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x3w25VIhwwar8kgq72wIQMdT.bat

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):69
                                                                                                                                                                                                                              Entropy (8bit):4.904269617215837
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Ljn9m1t+kiE2J5We0GQWL:fE1wkn23W59a
                                                                                                                                                                                                                              MD5:7F524DE6F258F588650BA3E4681C9084
                                                                                                                                                                                                                              SHA1:BF14FCA7724B5345287C4D49B679708D849EA600
                                                                                                                                                                                                                              SHA-256:FD63334F708CC7AE5A29CCBBDF56BDB9C85391F4352F0002BF6E25756FAD638A
                                                                                                                                                                                                                              SHA-512:E1C6884B4B9403519D6103F9D0B2EF25C0B95F5DE2040E069D9F312A5DCFA349C9F0C4C061EA8FF050C5E6611BFD12F498C14085F1BF94057D6F154B0250F9DE
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:start "" "C:\Users\user\AppData\Local\sZo8dt9VSX8cm31TuXOiptH3.exe"

                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Users\user\Pictures\T2RIU3FpH6dczIGTG32vuvvE.exe
                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):40
                                                                                                                                                                                                                              Entropy (8bit):3.3265896566842335
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:FkWXlHETUrbi:9uy+
                                                                                                                                                                                                                              MD5:4EB1892C75102D6D129A88D7D9039A4C
                                                                                                                                                                                                                              SHA1:7B2FDEB0B6DD38CED67F7D42FE7B44EA7AED7F46
                                                                                                                                                                                                                              SHA-256:FC0F9D39641AFF0934EC0BAE49710820F49B546B6EE8044E65E470F4EAAB1545
                                                                                                                                                                                                                              SHA-512:879D6D88B294715D99411D80250DFAEA44BC5E6788D72590771412EC3EEBCC4FD1E876F1FFABC5699FDFD48E950DFE2469D20FA0DD48A61F847FEAF12B47EA46
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:sdPC......................nE.tGK..N...F

                                                                                                                                                                                                                              C:\Users\user\Documents\SimpleAdobe\8lBOtksKAFB83rUCOP3QmQ2e.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):343552
                                                                                                                                                                                                                              Entropy (8bit):6.7047176909836566
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3072:XRKcLCu7bjrfJE0OlCV0+L/h+nPO9lhE6Vh5MaYo8DU06kgTJW7E1LeUOUkEqiQJ:EEbj9ecVRL/hHVhVJ06fTJpfq0zxJL5
                                                                                                                                                                                                                              MD5:540F70094794C16274ABCD644DFE7738
                                                                                                                                                                                                                              SHA1:9C644CF30F5BB34E824E2C73A761AAE159900547
                                                                                                                                                                                                                              SHA-256:0DDADD676CA7814044645E7E230F25A9E1BFEF479582179D22AB4A26F962B5D9
                                                                                                                                                                                                                              SHA-512:20206DFA3F7D4A144B2158D2FFA7F101B95CEA396D377A4DACE47CB010C75B1F3E5FE79065A2B03DAAF4EB98EC43A01AF7A66E89A2D8170B1CB9970D17C675BB
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L....T.e.............................g............@.......................... .............................................t(..d.... ..p........................... ...8...................h....... ...@............................................text.............................. ..`.rdata.............................@..@.data...H...@...&...&..............@....rsrc...p.... .......L..............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\Documents\SimpleAdobe\BuKYLuXtWRFvMUw4E6QMnePB.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):318464
                                                                                                                                                                                                                              Entropy (8bit):6.547791907799988
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3072:kpmcLlzbB0rV5n7CzvfHT99+nPGEl8G2TQVWyS7xAYjhMp70nFXXa6uF4W6vc2m:/qB0772v/T99oVmA370nFXKXF4W602
                                                                                                                                                                                                                              MD5:919F8F761910803D4FDAB592DBBEE63C
                                                                                                                                                                                                                              SHA1:819C861043EA6BA0D69D48A56E1F8A0C295EAF83
                                                                                                                                                                                                                              SHA-256:FC1D13A97211887DFA7767DAA27817C1575834899D9F47A674F81D288230DF6E
                                                                                                                                                                                                                              SHA-512:69E13430652A6855F9CFA4DF964F3BDEBADBFC8D405B06330706E7A273A5D06B34836864EDA4B792FA46EAEF1B7CED10F7C2E024C7F9E09B329938D511D481EE
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L....Z.c.............................g............@.........................................................................t(..d.......p........................... ...8........................... ...@............................................text.............................. ..`.rdata.............................@..@.data....|...@.......&..............@....rsrc...p...........................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\Documents\SimpleAdobe\N3dNHH1i3277Gfb9sVdhVcr5.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):2188562
                                                                                                                                                                                                                              Entropy (8bit):7.94338433261686
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:49152:CvxfXTFb1TJDfeQ3ZPSdivgGasStYLXbCKsVZ4:CvxBzfe6Kdi4GasoU2KCZ4
                                                                                                                                                                                                                              MD5:309E2C38AED62655F7CF09CFCD40A56A
                                                                                                                                                                                                                              SHA1:A235B5E71D665DDD520443DBA2FD42E0F89E3FDF
                                                                                                                                                                                                                              SHA-256:0B9A3732229105BFCBFD661BAEC73D588F4FE63F1A8F5DE162607874737DC0D4
                                                                                                                                                                                                                              SHA-512:642354A2A0A475AA979E44C00198761DB6E3C0C10075C8D4F44B6B1F43760C49784D9BB6ABCCAF18E0F7CE762CD931708AAD572C87EEDFB03E821749E46CC09C
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......#.=lgwS?gwS?gwS?..?jwS?..?.wS?..?.wS?...?ewS?..W>twS?..P>qwS?..V>UwS?n..?lwS?n..?`wS?gwR?ovS?..V>AwS?..S>fwS?...?fwS?..Q>fwS?RichgwS?........................PE..L...`..e...............!.............m............@.......................................@.........................`:..4....:..P...............................d*..@...T...........................@...@...............,....0.......................text.............................. ..`.rdata..............................@..@.data....\...P.......:..............@....didat..x............J..............@....rsrc................L..............@..@.reloc..d*.......,...,..............@..B................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\Documents\SimpleAdobe\UEaGlypujmRvmbw2BfkfATn6.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):5077008
                                                                                                                                                                                                                              Entropy (8bit):6.713226173072206
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:98304:AZ5VfUpCCTIDsAi8LXS2vwJ1EbfdOq5elO:Axf8ivmOfdOq5elO
                                                                                                                                                                                                                              MD5:D15459E9B9D12244A57809BC383B2757
                                                                                                                                                                                                                              SHA1:4B41E6B5AA4F88FDF455030DB94197D465DE993A
                                                                                                                                                                                                                              SHA-256:37AEF611EC814AF2CDCFA198E200CB21ECB46CAA30F84D0221A47DB1265B889D
                                                                                                                                                                                                                              SHA-512:40558644CA9918B84A9438A3A2C4D85A97DDEC378AED23756E14C57351D4B4C82D6316ADD1E62243826328E42C766784CEE5D6CAE41C6FA6C43864F5097A239C
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........rs... ... ... ...!... ...!t.. ...!... z". ... z".!.. z".!... z".!... ...!... ... ^.. K!.!... K!. ... ... ... K!.!... Rich... ................PE..L......f...............'.....:........:...........@...........................\.....E.N...@..................................@$......@..._....................\..............................P$..................................................... .........l.................. ..` ~............p..............@..@ ............r..............@....rsrc...._...@...`..................@..@ ......#..R..................@..B.idata.......@$......4..............@....tls.........P$......6...................themida.@8..`$..@8..8..............`....reloc........\......xM................@........................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\Documents\SimpleAdobe\YEB6goJ_QRA9Ek_PBrASrKDk.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exe
                                                                                                                                                                                                                              File Type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):303104
                                                                                                                                                                                                                              Entropy (8bit):6.1282620196226825
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:6144:5pUtp57JgcC9umP9mQwFpaSPBu+opYh/MLlRjdV55Y14PLckdK:Y7Ydfbe8uBuhpk/wd5HjVg
                                                                                                                                                                                                                              MD5:3920320ABE977A8205C64894CA6C7E03
                                                                                                                                                                                                                              SHA1:C7B79862B48101986F1CB72F4298055B4238C617
                                                                                                                                                                                                                              SHA-256:95ABB1FF23E79D1CCB8A08F9802FD8D3358F2F7F6895494F06EAD92AE39AE0BA
                                                                                                                                                                                                                              SHA-512:AACD03DB1EF36B6978632DC2E3E1F3A2DA82576C15750E8359238CB104333BE7F9D2C8B3D4A12BB2A8DDA1CD69C7F6149A77EC2C09197C219FF8B657DE72DD71
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....b..........."...0.................. .....@..... ....................................`...@......@............... ..............................................................<...8............................................................ ..H............text........ ...................... ..`.rsrc...............................@..@........................................H....... +...&...........Q..hd...........................................0...........(....&.s.......s......o....o.....+B.o.......o....(.......o....(....,...(....&+...(....(....&....(.....o....-....,..o .....,..o .....,..o ....*..(....".Np..........dz..........v........0..........(....(!...~....(......&..*....................("...*V(#...r...p(.........*...,...%.r...p.%.~....ri..p($....%.~....r...p($....%.r...p.*...,...%.~....r...p($....%.~....r...p($....%.r...p.%.r...p.*...,...%.~....

                                                                                                                                                                                                                              C:\Users\user\Documents\SimpleAdobe\bLSHn6d_smbEd3DDHsdhdb9F.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exe
                                                                                                                                                                                                                              File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):427520
                                                                                                                                                                                                                              Entropy (8bit):7.797594308720963
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:12288:4+Pv3L1UTL073jVoHfO5jN/maLPXjh6np3:vv3L1UT473jVo/KjEgPzs
                                                                                                                                                                                                                              MD5:CD86BE81DDF241013BE032803530DDEB
                                                                                                                                                                                                                              SHA1:D84462A3AFB848584ED6E871A3EE02C3213C2C08
                                                                                                                                                                                                                              SHA-256:956C0FD36C2F21F37B8782CAA8E5F337DCF9083994C28080D2F42A3A2CFCDBBD
                                                                                                                                                                                                                              SHA-512:2779CE00849E22ED68DFA653CDB782C650A0126C3603409610E0499652A72ED0D1635BC3619A93642A49635BFDE672428809EB032587F9D458ABA59BB466FC57
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............Y..Y..Y...X..Y...X\..Y...X..Y.9.X..Y.9.X..Y...X..Y..Y...Y.9.X...Y#:.X..Y#:7Y..Y#:.X..YRich..Y................PE..L....l.f...............'.0...\......g........@....@.......................................@.....................................<...................................p...................................@............@..(............................text...K........0.................. ..`.rdata..Fm...@...n...4..............@..@.data...............................@....rsrc................r..............@..@.reloc...............t..............@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\Documents\SimpleAdobe\e5ADH4rW9PcD5gtgsREzjuVn.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exe
                                                                                                                                                                                                                              File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):334960
                                                                                                                                                                                                                              Entropy (8bit):7.705013280320618
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:6144:xSK+aNVSVLZ/ywJ5aOiaQiNXnVdLporfmjhax3aE4pX:xSK+pLwwAipVdWcAx3t4pX
                                                                                                                                                                                                                              MD5:B0192DFAD5381F844AF4C3AF42D9EEB6
                                                                                                                                                                                                                              SHA1:5C31358537ACA2EE1BCF759F0580B60A1EB977C8
                                                                                                                                                                                                                              SHA-256:7F9F67D56A0A49554BB85641A21554A478FBDCE19AC853E3447FDBFFD1DC5434
                                                                                                                                                                                                                              SHA-512:A6F08297744929C727E1DCE302E189AAF4ACE1553AF396F2CBB3CC8EEA1876CB9CCD18D226D036638A042255AA0CFC94CEC0B1801A69F36B6463A127CBE8B927
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........C.N.-.N.-.N.-.....D.-...(..-...).Z.-..$(.h.-..$).\.-..$..\.-...,.K.-.N.,...-..'$.O.-..'.O.-..'/.O.-.RichN.-.........................PE..L..... f...............'.,..........c........@....@..........................0............@.................................D...<.......................p&...... ......................................@............@..(............................text...N*.......,.................. ..`.rdata...j...@...l...0..............@..@.data...LN.......F..................@....rsrc...............................@..@.reloc.. ...........................@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\Documents\SimpleAdobe\iTHBJLcts9pEuoqVNgU3srbu.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):4825088
                                                                                                                                                                                                                              Entropy (8bit):7.363795425961208
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:98304:dPwGDPsMTm7Gh0nUu7TcY0mmdlv3GLCjcKbbygH:dPfDPtqGmnUu4mmdlO8bbyg
                                                                                                                                                                                                                              MD5:15A5A210A88D15A932171A9FA25A1356
                                                                                                                                                                                                                              SHA1:7F6290046BD9BB6129AF3DA4612FAD50369EDA09
                                                                                                                                                                                                                              SHA-256:6A92C749F157EC43B1D14CFBA29F9CE164ECD3048353A720089F872F13B843FE
                                                                                                                                                                                                                              SHA-512:6738CC6366DA9561DF4B87F099BBA64E56DB7421598C2DDA25BE2933052BDB7593B7B386671F222B1E509A73F54CA982FEAE27FE22D57B6AF82A0B30FFBED258
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Yara Hits:
                                                                                                                                                                                                                              • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Users\user\Documents\SimpleAdobe\iTHBJLcts9pEuoqVNgU3srbu.exe, Author: Joe Security
                                                                                                                                                                                                                              • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\Documents\SimpleAdobe\iTHBJLcts9pEuoqVNgU3srbu.exe, Author: Joe Security
                                                                                                                                                                                                                              • Rule: MALWARE_Win_zgRAT, Description: Detects zgRAT, Source: C:\Users\user\Documents\SimpleAdobe\iTHBJLcts9pEuoqVNgU3srbu.exe, Author: ditekSHen
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....6...............P..ZH..D.......xH.. ....H...@.. ........................J...........@..................................wH.K.....H..@....................I...................................................... ............... ..H............text...4XH.. ...ZH................. ..`.rsrc....@....H..B...\H.............@..@.reloc........I.......I.............@..B.................xH.....H........p...............q....;.........................................6+.(.)lj(....*..:+.(4.Uj.(....*.V+.(xU.I..(....8.....*..B+.(...<~.......*...6+.(K7QO~....*...0..........+.(..hS ........8........E........5...&...8....s......... .....9....& ....8....*s.........8/...s......... .....9....& ....8....s.........8....s.........8........0..+.......+.(..578......*8....8.....~....o......8......0..+.......+.(i'Nb8......*.~....o......8....8....8......0..&.......+.(.\J>.~....o......

                                                                                                                                                                                                                              C:\Users\user\Documents\SimpleAdobe\jQql7MG2XChbxjQ6gNLJX8a8.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exe
                                                                                                                                                                                                                              File Type:PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):6153216
                                                                                                                                                                                                                              Entropy (8bit):6.377641735642354
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:49152:W/Ce4+1N237v0gM68DXYDqwLvws0EdRGtVpT1kTNkbNbQWSxR9DzNJyEv5j/ujOJ:je4PLs6VKOQpyJWSxR9vBEAm8dJT1
                                                                                                                                                                                                                              MD5:817C11005CA185252E666C25769A2591
                                                                                                                                                                                                                              SHA1:E52EC29D0E10C63B378B919FA1F5839B714BE07C
                                                                                                                                                                                                                              SHA-256:353ED3726F653A8E19C5C1511088AE21F3673D992A1781C100DEC7E8418A7FC8
                                                                                                                                                                                                                              SHA-512:B7CB060C4CABBB926E8A40ADF797F9B082F6BAC87A97B984AA6A636D82CF873B5657026B43D17359FFA1CEE1F9EACCED591F6C03E747B3D63090A4BC3D0FBF9B
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......................$..&...]................@.............................0d.....}.^...`... ...................................... b.N....0b......pb.G....@[..............Pc..............................,[.(...................|4b.@............................text.....&.......&.................`.``.data.........'.......&.............@.`..rdata........,......|,.............@.`@.pdata.......@[......([.............@.0@.xdata..D....0\.......\.............@.0@.bss.........@\.......................`..edata..N.... b.......\.............@.0@.idata.......0b.......\.............@.0..CRT....p....Pb......0\.............@.@..tls.........`b......2\.............@.@..rsrc...G....pb......4\.............@.0..reloc.......Pc.......].............@.0B................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\Documents\SimpleAdobe\mglK9j1udRLIlNMmqHDs89S5.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):4396432
                                                                                                                                                                                                                              Entropy (8bit):7.971776651930106
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:98304:CkZ2HRjDxUqNRSWw/fdG0ya8lhbNKCN+OMuHRmn++CozeYuDK:zZ2x3CqNcHdGTLNp+F+8elDK
                                                                                                                                                                                                                              MD5:B771700D69018054DD943B925FEA644C
                                                                                                                                                                                                                              SHA1:4E2F78B445F72BA9047E1C3B04D3038F02EDBE44
                                                                                                                                                                                                                              SHA-256:D17AD1DCBAFC3D794863720E3ADBB64FEC117549A51858DB3BE7B7B7F3BC63F9
                                                                                                                                                                                                                              SHA-512:5FDE1B9785B13073394F355F627B28932AA436A50A9FC4B93C8F6E2E2BC92CBFA00479BA23339F67D7721BBFF5A0EDDFDCE471C00FD9BC6D6BB27E7E93AC4F32
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L....}.e.....................L.......g............@.................................K.C.....................................t(..d.......p.............C............. ...8........................... ...@............................................text.............................. ..`.rdata.............................@..@.data...H....@....?..&..............@....rsrc...p.............B.............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\Documents\SimpleAdobe\poDcVPAkLsUtWqX_rqUuGuhg.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):4396424
                                                                                                                                                                                                                              Entropy (8bit):7.971776907219028
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:98304:6kZ2HRjDxUqNRSWw/fdG0ya8lhbNKCN+OMuHRmn++CozeYuDv:7Z2x3CqNcHdGTLNp+F+8elDv
                                                                                                                                                                                                                              MD5:B8A886917F1F5AC4B6B6D85592BA5FAE
                                                                                                                                                                                                                              SHA1:F79435A483AE68FBC7843F599721429B53D67C1E
                                                                                                                                                                                                                              SHA-256:581D748ADD7C355C0B9A75A8E2FBBE1D9098562C57E05BDD2F30EC45AB5B5390
                                                                                                                                                                                                                              SHA-512:7F37566F8DEDCBA66E12C012E082B4A7DF53D767F78525CFCE1C59067921B8ACB756C7496AE74F8B742393F0DBAB48E32E63A1F23621EAEFDA4EE331E1F1589A
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L....}.e.....................L.......g............@.................................K.C.....................................t(..d.......p.............C............. ...8........................... ...@............................................text.............................. ..`.rdata.............................@..@.data...H....@....?..&..............@....rsrc...p.............B.............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\Documents\SimpleAdobe\q8kYHwm3PccnSPsq8WHAVhzd.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exe
                                                                                                                                                                                                                              File Type:HTML document, Non-ISO extended-ASCII text, with very long lines (17875)
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):282582
                                                                                                                                                                                                                              Entropy (8bit):5.1389896399970185
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3072:qMlaKFywUN4tbNLaCzweCRs0xxkdlNY5ZOTHg0mRU0ebgUynIY6/uM:rg4TLaiCRpxxCl8N0gjnIY6uM
                                                                                                                                                                                                                              MD5:E5EEB84A66D07B6EA15BF94F9489BA80
                                                                                                                                                                                                                              SHA1:435036A68DCE20F46465528B857D3F4894C5B55B
                                                                                                                                                                                                                              SHA-256:B7FFA3898D9D6D007BD1191E332B62854E7B5741B2D4E5BF38DA39350F1CCAD2
                                                                                                                                                                                                                              SHA-512:31DCA6EC89BF8EE7E437AC2B91FB66C7A069ECF5BEEE6E042BB90715E9FDFC9228EDE9B6C9F95880005C2957C54598EFFFD68415F7B1F9AFAB511F69CA8A2EBB
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:<!DOCTYPE html>.<html lang='en' dir='ltr'>.<head>.<meta http-equiv="X-UA-Compatible" content="IE=edge" />.<link rel="shortcut icon" href="/images/icons/favicons/fav_logo.ico?7" />..<link rel="apple-touch-icon" href="/images/icons/pwa/apple/default.png?15">..<meta http-equiv="content-type" content="text/html; charset=windows-1251" />.<meta http-equiv="origin-trial" content="AiJEtxZTdbmRu3zkrD0Bg/GvReuip5r0aklN7tIrw1Yit01/+j7PNlJFAyMMo/vqqNVvDmRsGCPGfVtNn5ookQ8AAABueyJvcmlnaW4iOiJodHRwczovL3ZrLmNvbTo0NDMiLCJmZWF0dXJlIjoiRG9jdW1lbnRQaWN0dXJlSW5QaWN0dXJlQVBJIiwiZXhwaXJ5IjoxNjk0MTMxMTk5LCJpc1N1YmRvbWFpbiI6dHJ1ZX0="><meta name="theme-color" content="#ffffff">.<meta name="color-scheme" content="light">..<title>Error | VK</title>..<noscript><meta http-equiv="refresh" content="0; URL=/badbrowser.php"></noscript>.<script nomodule>(function(){"use strict";function e({needRedirect:e}){const n=new XMLHttpRequest;n.open("GET","/badbrowser_stat.php?act=nomodule"),n.send(),e&&window.location.replace(

                                                                                                                                                                                                                              C:\Users\user\Documents\SimpleAdobe\t1TVh5wiN6nn0UU6UNFGbozD.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exe
                                                                                                                                                                                                                              File Type:HTML document, Non-ISO extended-ASCII text, with very long lines (17875)
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):282567
                                                                                                                                                                                                                              Entropy (8bit):5.138802974250197
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3072:qZauFywUN4tbNLaCzweCRs0xxkdlNY5ZOTHg0mRU0ebgUynIY6/u2:Z4TLaiCRpxxCl8N0gjnIY6u2
                                                                                                                                                                                                                              MD5:C88816BAA0E5480DAAA3DBFC3847913F
                                                                                                                                                                                                                              SHA1:988E8A197EF8CAE391E5B891873861A688674643
                                                                                                                                                                                                                              SHA-256:D1C2408EDE3E9A62530C2EA6DE63A0E4AD720594EC44C44170A0081511BD05D9
                                                                                                                                                                                                                              SHA-512:5A2129D3744013773E144EC7F527ACA8414B3B1AAA599CE3C4E4883741FE103957700BBB17ED7D263B64D02B72691BD2461EA0D73EC4C85C7B89D4EC09F85BFE
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:<!DOCTYPE html>.<html lang='en' dir='ltr'>.<head>.<meta http-equiv="X-UA-Compatible" content="IE=edge" />.<link rel="shortcut icon" href="/images/icons/favicons/fav_logo.ico?7" />..<link rel="apple-touch-icon" href="/images/icons/pwa/apple/default.png?15">..<meta http-equiv="content-type" content="text/html; charset=windows-1251" />.<meta http-equiv="origin-trial" content="AiJEtxZTdbmRu3zkrD0Bg/GvReuip5r0aklN7tIrw1Yit01/+j7PNlJFAyMMo/vqqNVvDmRsGCPGfVtNn5ookQ8AAABueyJvcmlnaW4iOiJodHRwczovL3ZrLmNvbTo0NDMiLCJmZWF0dXJlIjoiRG9jdW1lbnRQaWN0dXJlSW5QaWN0dXJlQVBJIiwiZXhwaXJ5IjoxNjk0MTMxMTk5LCJpc1N1YmRvbWFpbiI6dHJ1ZX0="><meta name="theme-color" content="#ffffff">.<meta name="color-scheme" content="light">..<title>Error | VK</title>..<noscript><meta http-equiv="refresh" content="0; URL=/badbrowser.php"></noscript>.<script nomodule>(function(){"use strict";function e({needRedirect:e}){const n=new XMLHttpRequest;n.open("GET","/badbrowser_stat.php?act=nomodule"),n.send(),e&&window.location.replace(

                                                                                                                                                                                                                              C:\Users\user\Documents\SimpleAdobe\tk993DcPKxGC0yxEJOpWA4Uq.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):6645997
                                                                                                                                                                                                                              Entropy (8bit):7.9960820227785065
                                                                                                                                                                                                                              Encrypted:true
                                                                                                                                                                                                                              SSDEEP:98304:91Obp2zjJY231tFaCYTlZE1JLFSNGw6eJm5JeHxFKw7/X26jOnCB9XmtPtX4S8Bf:91OF2zjVpYD8vDwJmaHxbS2Os9qP0eEV
                                                                                                                                                                                                                              MD5:8433EAED37248E24EB963A444E5E1EED
                                                                                                                                                                                                                              SHA1:8D004418690587FC541547B2D0EFE2CFD629FBBA
                                                                                                                                                                                                                              SHA-256:7B4A250930BECEDC17B8D67DFEB39EE143B03466E85D2D77282AA52014BCA196
                                                                                                                                                                                                                              SHA-512:8656B020A34F6300F79675954DD56587E7678EC46DE92E53FC945E5FEFA476504761DB0FB0AD6F3C2C9F97D52CDD3767399EB8FC8655BCE5E77C40C1BE99BF56
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........W..s...s...s...}...s...y..s...,...s...r.!.s.......s...x..s.......s.......s.^.u...s.Rich..s.........PE..L....S.L.............................K............@.............................................................................d....p..`............................................................................................................text.............................. ..`.rdata...D.......F..................@..@.data...HZ.......2..................@....sxdata......`......................@....rsrc...`....p......................@..@................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\Documents\SimpleAdobe\xFUB9mqMmDXHB6bYEudfe3bz.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):5132515
                                                                                                                                                                                                                              Entropy (8bit):7.9989710005062715
                                                                                                                                                                                                                              Encrypted:true
                                                                                                                                                                                                                              SSDEEP:98304:edvpKKEk7iDhtjYagGe5e5Nbx0U9WNuKnLYUhymVb2:ihwYiDfjgQWFLphJC
                                                                                                                                                                                                                              MD5:F7900D3A6E3F0A09BA62AC64B9290B34
                                                                                                                                                                                                                              SHA1:A48992FBDA2A879AA3A03D2FB319D4975EDD218B
                                                                                                                                                                                                                              SHA-256:8B0BB592AC99DC7FFBF70BFCFADABABB7BAD4E7AEFC8C8E965BFEE66ABDBC8AE
                                                                                                                                                                                                                              SHA-512:134C9F8276B9D48FF0C174D61B3618D7E52852C6BC7AE08146B352E7476BCA0F5330BC712D89F207E2443A956C809FDAF46F390DDD1A5F8C2FCBA2670D445070
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................B...................@..........................0...................@..............................B........(..........................................................................................................CODE................................ ..`DATA....H...........................@...BSS.....4................................idata..B...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc....(.......(..................@..P.............0......................@..P........................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\Documents\SimpleAdobe\zfmWdTyj1A0x7CDHTSCFc6P6.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):316928
                                                                                                                                                                                                                              Entropy (8bit):6.544910731342647
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:6144:JXkws5FHvbaXTLC42m+g51uHct7jGZyL:JUwsvbaXTLCfg514ct7aw
                                                                                                                                                                                                                              MD5:867B7D371368F7872DA473E89646AA0B
                                                                                                                                                                                                                              SHA1:632E18C92F4E304DFF18F8C6ACFE165D7F5F538C
                                                                                                                                                                                                                              SHA-256:CA3CB9514C8544017CEF8E68C76D4ABBB7028019D2DB0C4AC4D88C29700743DC
                                                                                                                                                                                                                              SHA-512:D5B492E5B15264F47F4C811BB0BC7584C3A914839A2D1EF962C217E6091203C72434EFB2D2100097A75B8BDAD007B1EC2A6849D51839BF1B23ECEB47802D1E86
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L.....Ed.............................g............@..........................................................................(..d.......p........................... ...8........................... ...@............................................text.............................. ..`.rdata.............................@..@.data....x...@.......&..............@....rsrc...p...........................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\Pictures\0XytwVHS3WE9jtGuuRid6GiP.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):5388160
                                                                                                                                                                                                                              Entropy (8bit):6.884127351666352
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:98304:J0NFR6666666666666666666666666666666x666666666666666fwwwwwwwwwwo:aPMki6zio75L3pf3dedO4keCIwkoYbgI
                                                                                                                                                                                                                              MD5:CD54757EAFA70E59850F77982FAFCB49
                                                                                                                                                                                                                              SHA1:C339E58CD44295099CFFD1AB783FCC65A5A9913F
                                                                                                                                                                                                                              SHA-256:39D50F4716DAEF3C7B75E4DE57441390026036507E9B1676A927B85808BB526F
                                                                                                                                                                                                                              SHA-512:94B24A1E28CD7FE880C2CA6AA21DEFD92CA2B6B5000208A5F8528E4DED777647616D44818C42257C8C6C5F2B95BDE8C484DFE8AF5DFC0DBB198958F93E7D6D33
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...zL.f.........."......Z....M.....|*............@..........................`R.......R...@.....................................P........{L...........R..+... R..7..`...............................8q...............................................text....X.......Z.................. ..`.rdata.......p.......^..............@..@.data....4...P.......8..............@....tls.................V..............@....rsrc....{L......|L..X..............@..@.reloc...7... R..8....Q.............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\Pictures\0oplAGcqdSD8dY40aY8KDRaa.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):462337
                                                                                                                                                                                                                              Entropy (8bit):7.165289332124068
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:6144:52bjG4z4HGToSUG/Xfl+jE2TgEVGuIrsvi6WTQo4PWcvhN/EdLTRLf:5kjGgToSUGP0hxGuPv+MaLlLf
                                                                                                                                                                                                                              MD5:3A4982B7D2352FB3089C01B9F33C25EB
                                                                                                                                                                                                                              SHA1:A87055A316E5E1227C237E0A44A941F98F583419
                                                                                                                                                                                                                              SHA-256:7A0BC7FD96BE7CDA19119D1FEEFA81196225786D98FDDD5E1AB5103C21F6CBC5
                                                                                                                                                                                                                              SHA-512:048675D6AA6F99B6EA6E5577D024A7B314D522C81BA867F2E2013D1839DB0D6C0947A1C67E2E5B905B577EDEB153C16D9ECFF6D386E96D59C4836BE3BE967509
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L......c.....................P.......g............@................................N........................................(..d.................................. ...8........................... ...@............................................text.............................. ..`.rdata.............................@..@.data.......@.......&..............@....rsrc..............................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\Pictures\1HakjlIwxygCinOPkQfhRxwL.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):4396408
                                                                                                                                                                                                                              Entropy (8bit):7.971773908633874
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:98304:KkZ2HRjDxUqNRSWw/fdG0ya8lhbNKCN+OMuHRmn++CozeYuDm:LZ2x3CqNcHdGTLNp+F+8elDm
                                                                                                                                                                                                                              MD5:281F44C8C6F0CFBC293E1FDB8B3EE782
                                                                                                                                                                                                                              SHA1:CB1ABAA337D77C1B8AE1502AE0C8B47027EE7FA7
                                                                                                                                                                                                                              SHA-256:72A115F25006EEF0B5762B7EF5E8644D13EB1A42A8D0FBAEEFAB1E07F7B34C64
                                                                                                                                                                                                                              SHA-512:CBA42B82A2D84872ABB45975852DB340E8DEAF3F9D965191B0E73B8186D1D2A42C7DD4F74EA1C740E9D0F363285D2E637AB71E51D8AD0EDF6FE7A993B53C8FC4
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L....}.e.....................L.......g............@.................................K.C.....................................t(..d.......p.............C.x........... ...8........................... ...@............................................text.............................. ..`.rdata.............................@..@.data...H....@....?..&..............@....rsrc...p.............B.............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\Pictures\3wiDjAuNAMEeKc2Sp8AJvkHN.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):5128704
                                                                                                                                                                                                                              Entropy (8bit):7.955603913831852
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:98304:6eZ9klwlIGDH8gNN0/Y1pQtU4bizh9OjA+upZPdA5Jtfzq/sH0aN2CvV:6eZ9owNeZtU4FBuL1A5Lu/sH0g
                                                                                                                                                                                                                              MD5:A25CDF843E60F609B970AC9414170A7A
                                                                                                                                                                                                                              SHA1:9D0FEE8C64C58D674D383654A4391B8E41D994DC
                                                                                                                                                                                                                              SHA-256:109A993670756619DB430191F217236914602B1AAC6FE093E1B8B1887CC3D9F9
                                                                                                                                                                                                                              SHA-512:E4DC2979919C8ECFB2A09FD78446DB57483E74FF2E3DDCB498D0718590EF0E9021424D6656822921D41B648A36253E9275045B2E4931F94F00C474B73444C6FD
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......f.........."....'.....D........r........@.............................`.......TN...`...................................................f......P..........,............0..D............................r.(....,..@.............^..............................text............................... ..`.rdata..Fp..........................@..@.data...............................@....pdata.......P......................@..@_RDATA.......P......................@..@...N......`......................`..`...N... ..p5.....................`..h.vmp#.V7t....U..................... ..`.vmp#.VP.....^.....................@....vmp#.V<.M.. ^...M.................`..h.reloc..D....0........M.............@..@.rsrc........P.......&M.............@..@................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\Pictures\4zJ5E9cuigEXwPfwJBBf2Voo.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):4396408
                                                                                                                                                                                                                              Entropy (8bit):7.971773908633874
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:98304:KkZ2HRjDxUqNRSWw/fdG0ya8lhbNKCN+OMuHRmn++CozeYuDm:LZ2x3CqNcHdGTLNp+F+8elDm
                                                                                                                                                                                                                              MD5:281F44C8C6F0CFBC293E1FDB8B3EE782
                                                                                                                                                                                                                              SHA1:CB1ABAA337D77C1B8AE1502AE0C8B47027EE7FA7
                                                                                                                                                                                                                              SHA-256:72A115F25006EEF0B5762B7EF5E8644D13EB1A42A8D0FBAEEFAB1E07F7B34C64
                                                                                                                                                                                                                              SHA-512:CBA42B82A2D84872ABB45975852DB340E8DEAF3F9D965191B0E73B8186D1D2A42C7DD4F74EA1C740E9D0F363285D2E637AB71E51D8AD0EDF6FE7A993B53C8FC4
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L....}.e.....................L.......g............@.................................K.C.....................................t(..d.......p.............C.x........... ...8........................... ...@............................................text.............................. ..`.rdata.............................@..@.data...H....@....?..&..............@....rsrc...p.............B.............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\Pictures\5QOOoyFK4iimcVizzTfwyofF.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):5128704
                                                                                                                                                                                                                              Entropy (8bit):7.955603913831852
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:98304:6eZ9klwlIGDH8gNN0/Y1pQtU4bizh9OjA+upZPdA5Jtfzq/sH0aN2CvV:6eZ9owNeZtU4FBuL1A5Lu/sH0g
                                                                                                                                                                                                                              MD5:A25CDF843E60F609B970AC9414170A7A
                                                                                                                                                                                                                              SHA1:9D0FEE8C64C58D674D383654A4391B8E41D994DC
                                                                                                                                                                                                                              SHA-256:109A993670756619DB430191F217236914602B1AAC6FE093E1B8B1887CC3D9F9
                                                                                                                                                                                                                              SHA-512:E4DC2979919C8ECFB2A09FD78446DB57483E74FF2E3DDCB498D0718590EF0E9021424D6656822921D41B648A36253E9275045B2E4931F94F00C474B73444C6FD
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......f.........."....'.....D........r........@.............................`.......TN...`...................................................f......P..........,............0..D............................r.(....,..@.............^..............................text............................... ..`.rdata..Fp..........................@..@.data...............................@....pdata.......P......................@..@_RDATA.......P......................@..@...N......`......................`..`...N... ..p5.....................`..h.vmp#.V7t....U..................... ..`.vmp#.VP.....^.....................@....vmp#.V<.M.. ^...M.................`..h.reloc..D....0........M.............@..@.rsrc........P.......&M.............@..@................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\Pictures\72ikwo0xN8m7DIEmg8FL68i9.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):7446
                                                                                                                                                                                                                              Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                              MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                              SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                              SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                              SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                              C:\Users\user\Pictures\7ifrWkUACu1QmnINWqs0eu9h.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):4396408
                                                                                                                                                                                                                              Entropy (8bit):7.971773908633874
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:98304:KkZ2HRjDxUqNRSWw/fdG0ya8lhbNKCN+OMuHRmn++CozeYuDm:LZ2x3CqNcHdGTLNp+F+8elDm
                                                                                                                                                                                                                              MD5:281F44C8C6F0CFBC293E1FDB8B3EE782
                                                                                                                                                                                                                              SHA1:CB1ABAA337D77C1B8AE1502AE0C8B47027EE7FA7
                                                                                                                                                                                                                              SHA-256:72A115F25006EEF0B5762B7EF5E8644D13EB1A42A8D0FBAEEFAB1E07F7B34C64
                                                                                                                                                                                                                              SHA-512:CBA42B82A2D84872ABB45975852DB340E8DEAF3F9D965191B0E73B8186D1D2A42C7DD4F74EA1C740E9D0F363285D2E637AB71E51D8AD0EDF6FE7A993B53C8FC4
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L....}.e.....................L.......g............@.................................K.C.....................................t(..d.......p.............C.x........... ...8........................... ...@............................................text.............................. ..`.rdata.............................@..@.data...H....@....?..&..............@....rsrc...p.............B.............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\Pictures\C3zBXysGYP5W2fmci6hd0XEB.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):462337
                                                                                                                                                                                                                              Entropy (8bit):7.165289332124068
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:6144:52bjG4z4HGToSUG/Xfl+jE2TgEVGuIrsvi6WTQo4PWcvhN/EdLTRLf:5kjGgToSUGP0hxGuPv+MaLlLf
                                                                                                                                                                                                                              MD5:3A4982B7D2352FB3089C01B9F33C25EB
                                                                                                                                                                                                                              SHA1:A87055A316E5E1227C237E0A44A941F98F583419
                                                                                                                                                                                                                              SHA-256:7A0BC7FD96BE7CDA19119D1FEEFA81196225786D98FDDD5E1AB5103C21F6CBC5
                                                                                                                                                                                                                              SHA-512:048675D6AA6F99B6EA6E5577D024A7B314D522C81BA867F2E2013D1839DB0D6C0947A1C67E2E5B905B577EDEB153C16D9ECFF6D386E96D59C4836BE3BE967509
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L......c.....................P.......g............@................................N........................................(..d.................................. ...8........................... ...@............................................text.............................. ..`.rdata.............................@..@.data.......@.......&..............@....rsrc..............................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\Pictures\D1DNzbYhZ5irlEMiXjcU2a2e.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):7446
                                                                                                                                                                                                                              Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                              MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                              SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                              SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                              SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                              C:\Users\user\Pictures\EVcXAn6aSSI07ttXmnvL0m1a.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):462337
                                                                                                                                                                                                                              Entropy (8bit):7.165289332124068
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:6144:52bjG4z4HGToSUG/Xfl+jE2TgEVGuIrsvi6WTQo4PWcvhN/EdLTRLf:5kjGgToSUGP0hxGuPv+MaLlLf
                                                                                                                                                                                                                              MD5:3A4982B7D2352FB3089C01B9F33C25EB
                                                                                                                                                                                                                              SHA1:A87055A316E5E1227C237E0A44A941F98F583419
                                                                                                                                                                                                                              SHA-256:7A0BC7FD96BE7CDA19119D1FEEFA81196225786D98FDDD5E1AB5103C21F6CBC5
                                                                                                                                                                                                                              SHA-512:048675D6AA6F99B6EA6E5577D024A7B314D522C81BA867F2E2013D1839DB0D6C0947A1C67E2E5B905B577EDEB153C16D9ECFF6D386E96D59C4836BE3BE967509
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L......c.....................P.......g............@................................N........................................(..d.................................. ...8........................... ...@............................................text.............................. ..`.rdata.............................@..@.data.......@.......&..............@....rsrc..............................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\Pictures\F6G6Y5cEUOHQw9dTwu4nNoIO.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):4396408
                                                                                                                                                                                                                              Entropy (8bit):7.971773908633874
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:98304:KkZ2HRjDxUqNRSWw/fdG0ya8lhbNKCN+OMuHRmn++CozeYuDm:LZ2x3CqNcHdGTLNp+F+8elDm
                                                                                                                                                                                                                              MD5:281F44C8C6F0CFBC293E1FDB8B3EE782
                                                                                                                                                                                                                              SHA1:CB1ABAA337D77C1B8AE1502AE0C8B47027EE7FA7
                                                                                                                                                                                                                              SHA-256:72A115F25006EEF0B5762B7EF5E8644D13EB1A42A8D0FBAEEFAB1E07F7B34C64
                                                                                                                                                                                                                              SHA-512:CBA42B82A2D84872ABB45975852DB340E8DEAF3F9D965191B0E73B8186D1D2A42C7DD4F74EA1C740E9D0F363285D2E637AB71E51D8AD0EDF6FE7A993B53C8FC4
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L....}.e.....................L.......g............@.................................K.C.....................................t(..d.......p.............C.x........... ...8........................... ...@............................................text.............................. ..`.rdata.............................@..@.data...H....@....?..&..............@....rsrc...p.............B.............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\Pictures\GGlApx2WKpOBsEMsKqplE6Uf.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):5128704
                                                                                                                                                                                                                              Entropy (8bit):7.955603913831852
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:98304:6eZ9klwlIGDH8gNN0/Y1pQtU4bizh9OjA+upZPdA5Jtfzq/sH0aN2CvV:6eZ9owNeZtU4FBuL1A5Lu/sH0g
                                                                                                                                                                                                                              MD5:A25CDF843E60F609B970AC9414170A7A
                                                                                                                                                                                                                              SHA1:9D0FEE8C64C58D674D383654A4391B8E41D994DC
                                                                                                                                                                                                                              SHA-256:109A993670756619DB430191F217236914602B1AAC6FE093E1B8B1887CC3D9F9
                                                                                                                                                                                                                              SHA-512:E4DC2979919C8ECFB2A09FD78446DB57483E74FF2E3DDCB498D0718590EF0E9021424D6656822921D41B648A36253E9275045B2E4931F94F00C474B73444C6FD
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......f.........."....'.....D........r........@.............................`.......TN...`...................................................f......P..........,............0..D............................r.(....,..@.............^..............................text............................... ..`.rdata..Fp..........................@..@.data...............................@....pdata.......P......................@..@_RDATA.......P......................@..@...N......`......................`..`...N... ..p5.....................`..h.vmp#.V7t....U..................... ..`.vmp#.VP.....^.....................@....vmp#.V<.M.. ^...M.................`..h.reloc..D....0........M.............@..@.rsrc........P.......&M.............@..@................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\Pictures\HmEe3wDzeiBBjESYuBab3Xp4.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):462337
                                                                                                                                                                                                                              Entropy (8bit):7.165289332124068
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:6144:52bjG4z4HGToSUG/Xfl+jE2TgEVGuIrsvi6WTQo4PWcvhN/EdLTRLf:5kjGgToSUGP0hxGuPv+MaLlLf
                                                                                                                                                                                                                              MD5:3A4982B7D2352FB3089C01B9F33C25EB
                                                                                                                                                                                                                              SHA1:A87055A316E5E1227C237E0A44A941F98F583419
                                                                                                                                                                                                                              SHA-256:7A0BC7FD96BE7CDA19119D1FEEFA81196225786D98FDDD5E1AB5103C21F6CBC5
                                                                                                                                                                                                                              SHA-512:048675D6AA6F99B6EA6E5577D024A7B314D522C81BA867F2E2013D1839DB0D6C0947A1C67E2E5B905B577EDEB153C16D9ECFF6D386E96D59C4836BE3BE967509
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L......c.....................P.......g............@................................N........................................(..d.................................. ...8........................... ...@............................................text.............................. ..`.rdata.............................@..@.data.......@.......&..............@....rsrc..............................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\Pictures\IWT1vUWgcWghP1zoHHmuoKa9.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):4396408
                                                                                                                                                                                                                              Entropy (8bit):7.971773908633874
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:98304:KkZ2HRjDxUqNRSWw/fdG0ya8lhbNKCN+OMuHRmn++CozeYuDm:LZ2x3CqNcHdGTLNp+F+8elDm
                                                                                                                                                                                                                              MD5:281F44C8C6F0CFBC293E1FDB8B3EE782
                                                                                                                                                                                                                              SHA1:CB1ABAA337D77C1B8AE1502AE0C8B47027EE7FA7
                                                                                                                                                                                                                              SHA-256:72A115F25006EEF0B5762B7EF5E8644D13EB1A42A8D0FBAEEFAB1E07F7B34C64
                                                                                                                                                                                                                              SHA-512:CBA42B82A2D84872ABB45975852DB340E8DEAF3F9D965191B0E73B8186D1D2A42C7DD4F74EA1C740E9D0F363285D2E637AB71E51D8AD0EDF6FE7A993B53C8FC4
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L....}.e.....................L.......g............@.................................K.C.....................................t(..d.......p.............C.x........... ...8........................... ...@............................................text.............................. ..`.rdata.............................@..@.data...H....@....?..&..............@....rsrc...p.............B.............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\Pictures\IpPaPlW8SuKj6HZ6PbpzdKUK.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):5128704
                                                                                                                                                                                                                              Entropy (8bit):7.955603913831852
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:98304:6eZ9klwlIGDH8gNN0/Y1pQtU4bizh9OjA+upZPdA5Jtfzq/sH0aN2CvV:6eZ9owNeZtU4FBuL1A5Lu/sH0g
                                                                                                                                                                                                                              MD5:A25CDF843E60F609B970AC9414170A7A
                                                                                                                                                                                                                              SHA1:9D0FEE8C64C58D674D383654A4391B8E41D994DC
                                                                                                                                                                                                                              SHA-256:109A993670756619DB430191F217236914602B1AAC6FE093E1B8B1887CC3D9F9
                                                                                                                                                                                                                              SHA-512:E4DC2979919C8ECFB2A09FD78446DB57483E74FF2E3DDCB498D0718590EF0E9021424D6656822921D41B648A36253E9275045B2E4931F94F00C474B73444C6FD
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......f.........."....'.....D........r........@.............................`.......TN...`...................................................f......P..........,............0..D............................r.(....,..@.............^..............................text............................... ..`.rdata..Fp..........................@..@.data...............................@....pdata.......P......................@..@_RDATA.......P......................@..@...N......`......................`..`...N... ..p5.....................`..h.vmp#.V7t....U..................... ..`.vmp#.VP.....^.....................@....vmp#.V<.M.. ^...M.................`..h.reloc..D....0........M.............@..@.rsrc........P.......&M.............@..@................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\Pictures\JIsbjewlnghreiCB15kllzTk.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):4396408
                                                                                                                                                                                                                              Entropy (8bit):7.971773908633874
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:98304:KkZ2HRjDxUqNRSWw/fdG0ya8lhbNKCN+OMuHRmn++CozeYuDm:LZ2x3CqNcHdGTLNp+F+8elDm
                                                                                                                                                                                                                              MD5:281F44C8C6F0CFBC293E1FDB8B3EE782
                                                                                                                                                                                                                              SHA1:CB1ABAA337D77C1B8AE1502AE0C8B47027EE7FA7
                                                                                                                                                                                                                              SHA-256:72A115F25006EEF0B5762B7EF5E8644D13EB1A42A8D0FBAEEFAB1E07F7B34C64
                                                                                                                                                                                                                              SHA-512:CBA42B82A2D84872ABB45975852DB340E8DEAF3F9D965191B0E73B8186D1D2A42C7DD4F74EA1C740E9D0F363285D2E637AB71E51D8AD0EDF6FE7A993B53C8FC4
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L....}.e.....................L.......g............@.................................K.C.....................................t(..d.......p.............C.x........... ...8........................... ...@............................................text.............................. ..`.rdata.............................@..@.data...H....@....?..&..............@....rsrc...p.............B.............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):462337
                                                                                                                                                                                                                              Entropy (8bit):7.165289332124068
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:6144:52bjG4z4HGToSUG/Xfl+jE2TgEVGuIrsvi6WTQo4PWcvhN/EdLTRLf:5kjGgToSUGP0hxGuPv+MaLlLf
                                                                                                                                                                                                                              MD5:3A4982B7D2352FB3089C01B9F33C25EB
                                                                                                                                                                                                                              SHA1:A87055A316E5E1227C237E0A44A941F98F583419
                                                                                                                                                                                                                              SHA-256:7A0BC7FD96BE7CDA19119D1FEEFA81196225786D98FDDD5E1AB5103C21F6CBC5
                                                                                                                                                                                                                              SHA-512:048675D6AA6F99B6EA6E5577D024A7B314D522C81BA867F2E2013D1839DB0D6C0947A1C67E2E5B905B577EDEB153C16D9ECFF6D386E96D59C4836BE3BE967509
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L......c.....................P.......g............@................................N........................................(..d.................................. ...8........................... ...@............................................text.............................. ..`.rdata.............................@..@.data.......@.......&..............@....rsrc..............................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\Pictures\JsR15JaJDFzaXbSvvkMXKGOy.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):7446
                                                                                                                                                                                                                              Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                              MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                              SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                              SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                              SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                              C:\Users\user\Pictures\KAKoKagL31aeT9tvPuu3L1bc.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):5388160
                                                                                                                                                                                                                              Entropy (8bit):6.884128419820281
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:98304:P0NFR6666666666666666666666666666666x666666666666666fwwwwwwwwwwh:cPMki6zio75L3pf3dedO4keCIwkoYbgB
                                                                                                                                                                                                                              MD5:5E71284947BF8E2B1B90B843D650CA13
                                                                                                                                                                                                                              SHA1:9C52DC35DC332632569056816836B747F73BB238
                                                                                                                                                                                                                              SHA-256:436FCD6CC8AC3A9761939819D7CDB47EEF995145BFDD7BB5A3FF302414878875
                                                                                                                                                                                                                              SHA-512:DD8989FB9E67D704F4F562C6D12398880690E1FDC27022F705470EC273C85D3965E0230203576C564F50C0BEC5EBC7F870CE2A665EFBA4A8E0ACC78215B1D2F0
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...zL.f.........."......Z....M.....|*............@..........................`R.......R...@.....................................P........{L...........R..+... R..7..`...............................8q...............................................text....X.......Z.................. ..`.rdata.......p.......^..............@..@.data....4...P.......8..............@....tls.................V..............@....rsrc....{L......|L..X..............@..@.reloc...7... R..8....Q.............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):5128704
                                                                                                                                                                                                                              Entropy (8bit):7.955603913831852
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:98304:6eZ9klwlIGDH8gNN0/Y1pQtU4bizh9OjA+upZPdA5Jtfzq/sH0aN2CvV:6eZ9owNeZtU4FBuL1A5Lu/sH0g
                                                                                                                                                                                                                              MD5:A25CDF843E60F609B970AC9414170A7A
                                                                                                                                                                                                                              SHA1:9D0FEE8C64C58D674D383654A4391B8E41D994DC
                                                                                                                                                                                                                              SHA-256:109A993670756619DB430191F217236914602B1AAC6FE093E1B8B1887CC3D9F9
                                                                                                                                                                                                                              SHA-512:E4DC2979919C8ECFB2A09FD78446DB57483E74FF2E3DDCB498D0718590EF0E9021424D6656822921D41B648A36253E9275045B2E4931F94F00C474B73444C6FD
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......f.........."....'.....D........r........@.............................`.......TN...`...................................................f......P..........,............0..D............................r.(....,..@.............^..............................text............................... ..`.rdata..Fp..........................@..@.data...............................@....pdata.......P......................@..@_RDATA.......P......................@..@...N......`......................`..`...N... ..p5.....................`..h.vmp#.V7t....U..................... ..`.vmp#.VP.....^.....................@....vmp#.V<.M.. ^...M.................`..h.reloc..D....0........M.............@..@.rsrc........P.......&M.............@..@................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\Pictures\KlC0MO7JlENai4lmIm0fgxCd.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):5128704
                                                                                                                                                                                                                              Entropy (8bit):7.955603913831852
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:98304:6eZ9klwlIGDH8gNN0/Y1pQtU4bizh9OjA+upZPdA5Jtfzq/sH0aN2CvV:6eZ9owNeZtU4FBuL1A5Lu/sH0g
                                                                                                                                                                                                                              MD5:A25CDF843E60F609B970AC9414170A7A
                                                                                                                                                                                                                              SHA1:9D0FEE8C64C58D674D383654A4391B8E41D994DC
                                                                                                                                                                                                                              SHA-256:109A993670756619DB430191F217236914602B1AAC6FE093E1B8B1887CC3D9F9
                                                                                                                                                                                                                              SHA-512:E4DC2979919C8ECFB2A09FD78446DB57483E74FF2E3DDCB498D0718590EF0E9021424D6656822921D41B648A36253E9275045B2E4931F94F00C474B73444C6FD
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......f.........."....'.....D........r........@.............................`.......TN...`...................................................f......P..........,............0..D............................r.(....,..@.............^..............................text............................... ..`.rdata..Fp..........................@..@.data...............................@....pdata.......P......................@..@_RDATA.......P......................@..@...N......`......................`..`...N... ..p5.....................`..h.vmp#.V7t....U..................... ..`.vmp#.VP.....^.....................@....vmp#.V<.M.. ^...M.................`..h.reloc..D....0........M.............@..@.rsrc........P.......&M.............@..@................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\Pictures\LLoAVhqqC3TlPmj3xeFbhIJr.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):5388160
                                                                                                                                                                                                                              Entropy (8bit):6.884126803368091
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:98304:f0NFR6666666666666666666666666666666x666666666666666fwwwwwwwwwwg:sPMki6zio75L3pf3dedO4keCIwkoYbgA
                                                                                                                                                                                                                              MD5:47EB5DBC3AD1B569D0776F4CBF111342
                                                                                                                                                                                                                              SHA1:7C4A9800EAD26F628DE6C2E978242277BE707960
                                                                                                                                                                                                                              SHA-256:7A23897DCF9E267246C03EFB73C166D9D9B90B42B1913F87F3773B807581C3F5
                                                                                                                                                                                                                              SHA-512:AC33DDB04428CF35E519C4566DC4A63746600B1295F36942F26BD2E28C2E619AB031E5985BB7059BAB2B92F97728EFC82C30E81F1547CCD8ED4A68132966B78A
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...zL.f.........."......Z....M.....|*............@..........................`R......(S...@.....................................P........{L...........R..+... R..7..`...............................8q...............................................text....X.......Z.................. ..`.rdata.......p.......^..............@..@.data....4...P.......8..............@....tls.................V..............@....rsrc....{L......|L..X..............@..@.reloc...7... R..8....Q.............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\Pictures\MphEWivXVroFMrkzyLgmuj2t.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):5128704
                                                                                                                                                                                                                              Entropy (8bit):7.955603913831852
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:98304:6eZ9klwlIGDH8gNN0/Y1pQtU4bizh9OjA+upZPdA5Jtfzq/sH0aN2CvV:6eZ9owNeZtU4FBuL1A5Lu/sH0g
                                                                                                                                                                                                                              MD5:A25CDF843E60F609B970AC9414170A7A
                                                                                                                                                                                                                              SHA1:9D0FEE8C64C58D674D383654A4391B8E41D994DC
                                                                                                                                                                                                                              SHA-256:109A993670756619DB430191F217236914602B1AAC6FE093E1B8B1887CC3D9F9
                                                                                                                                                                                                                              SHA-512:E4DC2979919C8ECFB2A09FD78446DB57483E74FF2E3DDCB498D0718590EF0E9021424D6656822921D41B648A36253E9275045B2E4931F94F00C474B73444C6FD
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......f.........."....'.....D........r........@.............................`.......TN...`...................................................f......P..........,............0..D............................r.(....,..@.............^..............................text............................... ..`.rdata..Fp..........................@..@.data...............................@....pdata.......P......................@..@_RDATA.......P......................@..@...N......`......................`..`...N... ..p5.....................`..h.vmp#.V7t....U..................... ..`.vmp#.VP.....^.....................@....vmp#.V<.M.. ^...M.................`..h.reloc..D....0........M.............@..@.rsrc........P.......&M.............@..@................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\Pictures\OwiOgmO3oIyIM5MtwxyFTS2j.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):7446
                                                                                                                                                                                                                              Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                              MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                              SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                              SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                              SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                              C:\Users\user\Pictures\PMy8rA40PiG6kLCCQ4O29elX.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):5388160
                                                                                                                                                                                                                              Entropy (8bit):6.884126021626081
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:98304:l0NFR6666666666666666666666666666666x666666666666666fwwwwwwwwwwZ:+PMki6zio75L3pf3dedO4keCIwkoYbg5
                                                                                                                                                                                                                              MD5:1560C8B87E585F41D68CB050AE0CF052
                                                                                                                                                                                                                              SHA1:6919DDFE2A4475883092257E9B8B12DE0811D1FC
                                                                                                                                                                                                                              SHA-256:D22C0AF0FC10A88FE2B59AE051951EB6DFF323D7A4C145C80AFCD69D9FD52A02
                                                                                                                                                                                                                              SHA-512:5E645243F8E44E28CFF5113B683ED97713DCCB56A6DB1E8B13905FEE9007C76B177F607E0343C69B3D8FC0BD0899D8C515FC86E5EDB985159CC4A61BB56C1B13
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...zL.f.........."......Z....M.....|*............@..........................`R......HR...@.....................................P........{L...........R..+... R..7..`...............................8q...............................................text....X.......Z.................. ..`.rdata.......p.......^..............@..@.data....4...P.......8..............@....tls.................V..............@....rsrc....{L......|L..X..............@..@.reloc...7... R..8....Q.............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\Pictures\Pn5ZHf0b4pBQKwEbywjz1WNa.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):462337
                                                                                                                                                                                                                              Entropy (8bit):7.165289332124068
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:6144:52bjG4z4HGToSUG/Xfl+jE2TgEVGuIrsvi6WTQo4PWcvhN/EdLTRLf:5kjGgToSUGP0hxGuPv+MaLlLf
                                                                                                                                                                                                                              MD5:3A4982B7D2352FB3089C01B9F33C25EB
                                                                                                                                                                                                                              SHA1:A87055A316E5E1227C237E0A44A941F98F583419
                                                                                                                                                                                                                              SHA-256:7A0BC7FD96BE7CDA19119D1FEEFA81196225786D98FDDD5E1AB5103C21F6CBC5
                                                                                                                                                                                                                              SHA-512:048675D6AA6F99B6EA6E5577D024A7B314D522C81BA867F2E2013D1839DB0D6C0947A1C67E2E5B905B577EDEB153C16D9ECFF6D386E96D59C4836BE3BE967509
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L......c.....................P.......g............@................................N........................................(..d.................................. ...8........................... ...@............................................text.............................. ..`.rdata.............................@..@.data.......@.......&..............@....rsrc..............................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\Pictures\PqdYh9kiVSkf3FjC9RDfcS2e.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):4396408
                                                                                                                                                                                                                              Entropy (8bit):7.971773908633874
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:98304:KkZ2HRjDxUqNRSWw/fdG0ya8lhbNKCN+OMuHRmn++CozeYuDm:LZ2x3CqNcHdGTLNp+F+8elDm
                                                                                                                                                                                                                              MD5:281F44C8C6F0CFBC293E1FDB8B3EE782
                                                                                                                                                                                                                              SHA1:CB1ABAA337D77C1B8AE1502AE0C8B47027EE7FA7
                                                                                                                                                                                                                              SHA-256:72A115F25006EEF0B5762B7EF5E8644D13EB1A42A8D0FBAEEFAB1E07F7B34C64
                                                                                                                                                                                                                              SHA-512:CBA42B82A2D84872ABB45975852DB340E8DEAF3F9D965191B0E73B8186D1D2A42C7DD4F74EA1C740E9D0F363285D2E637AB71E51D8AD0EDF6FE7A993B53C8FC4
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L....}.e.....................L.......g............@.................................K.C.....................................t(..d.......p.............C.x........... ...8........................... ...@............................................text.............................. ..`.rdata.............................@..@.data...H....@....?..&..............@....rsrc...p.............B.............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\Pictures\Q1ZjqgqRF9GO7rx2KZzJIL2b.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):4396408
                                                                                                                                                                                                                              Entropy (8bit):7.971773908633874
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:98304:KkZ2HRjDxUqNRSWw/fdG0ya8lhbNKCN+OMuHRmn++CozeYuDm:LZ2x3CqNcHdGTLNp+F+8elDm
                                                                                                                                                                                                                              MD5:281F44C8C6F0CFBC293E1FDB8B3EE782
                                                                                                                                                                                                                              SHA1:CB1ABAA337D77C1B8AE1502AE0C8B47027EE7FA7
                                                                                                                                                                                                                              SHA-256:72A115F25006EEF0B5762B7EF5E8644D13EB1A42A8D0FBAEEFAB1E07F7B34C64
                                                                                                                                                                                                                              SHA-512:CBA42B82A2D84872ABB45975852DB340E8DEAF3F9D965191B0E73B8186D1D2A42C7DD4F74EA1C740E9D0F363285D2E637AB71E51D8AD0EDF6FE7A993B53C8FC4
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L....}.e.....................L.......g............@.................................K.C.....................................t(..d.......p.............C.x........... ...8........................... ...@............................................text.............................. ..`.rdata.............................@..@.data...H....@....?..&..............@....rsrc...p.............B.............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\Pictures\QHuPF3k4no0JL9DdGqDYtkCG.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):4396408
                                                                                                                                                                                                                              Entropy (8bit):7.971773908633874
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:98304:KkZ2HRjDxUqNRSWw/fdG0ya8lhbNKCN+OMuHRmn++CozeYuDm:LZ2x3CqNcHdGTLNp+F+8elDm
                                                                                                                                                                                                                              MD5:281F44C8C6F0CFBC293E1FDB8B3EE782
                                                                                                                                                                                                                              SHA1:CB1ABAA337D77C1B8AE1502AE0C8B47027EE7FA7
                                                                                                                                                                                                                              SHA-256:72A115F25006EEF0B5762B7EF5E8644D13EB1A42A8D0FBAEEFAB1E07F7B34C64
                                                                                                                                                                                                                              SHA-512:CBA42B82A2D84872ABB45975852DB340E8DEAF3F9D965191B0E73B8186D1D2A42C7DD4F74EA1C740E9D0F363285D2E637AB71E51D8AD0EDF6FE7A993B53C8FC4
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L....}.e.....................L.......g............@.................................K.C.....................................t(..d.......p.............C.x........... ...8........................... ...@............................................text.............................. ..`.rdata.............................@..@.data...H....@....?..&..............@....rsrc...p.............B.............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\Pictures\QKDjQ5sBUXPsok7hLKm8Jxa7.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):4396408
                                                                                                                                                                                                                              Entropy (8bit):7.971773908633874
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:98304:KkZ2HRjDxUqNRSWw/fdG0ya8lhbNKCN+OMuHRmn++CozeYuDm:LZ2x3CqNcHdGTLNp+F+8elDm
                                                                                                                                                                                                                              MD5:281F44C8C6F0CFBC293E1FDB8B3EE782
                                                                                                                                                                                                                              SHA1:CB1ABAA337D77C1B8AE1502AE0C8B47027EE7FA7
                                                                                                                                                                                                                              SHA-256:72A115F25006EEF0B5762B7EF5E8644D13EB1A42A8D0FBAEEFAB1E07F7B34C64
                                                                                                                                                                                                                              SHA-512:CBA42B82A2D84872ABB45975852DB340E8DEAF3F9D965191B0E73B8186D1D2A42C7DD4F74EA1C740E9D0F363285D2E637AB71E51D8AD0EDF6FE7A993B53C8FC4
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L....}.e.....................L.......g............@.................................K.C.....................................t(..d.......p.............C.x........... ...8........................... ...@............................................text.............................. ..`.rdata.............................@..@.data...H....@....?..&..............@....rsrc...p.............B.............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\Pictures\SU1be6oqYDorLkUc1l6IPPFB.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):462337
                                                                                                                                                                                                                              Entropy (8bit):7.165289332124068
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:6144:52bjG4z4HGToSUG/Xfl+jE2TgEVGuIrsvi6WTQo4PWcvhN/EdLTRLf:5kjGgToSUGP0hxGuPv+MaLlLf
                                                                                                                                                                                                                              MD5:3A4982B7D2352FB3089C01B9F33C25EB
                                                                                                                                                                                                                              SHA1:A87055A316E5E1227C237E0A44A941F98F583419
                                                                                                                                                                                                                              SHA-256:7A0BC7FD96BE7CDA19119D1FEEFA81196225786D98FDDD5E1AB5103C21F6CBC5
                                                                                                                                                                                                                              SHA-512:048675D6AA6F99B6EA6E5577D024A7B314D522C81BA867F2E2013D1839DB0D6C0947A1C67E2E5B905B577EDEB153C16D9ECFF6D386E96D59C4836BE3BE967509
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L......c.....................P.......g............@................................N........................................(..d.................................. ...8........................... ...@............................................text.............................. ..`.rdata.............................@..@.data.......@.......&..............@....rsrc..............................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\Pictures\Sj3OVhjmKPY77wuH4sHs0IWD.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):4396408
                                                                                                                                                                                                                              Entropy (8bit):7.971773908633874
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:98304:KkZ2HRjDxUqNRSWw/fdG0ya8lhbNKCN+OMuHRmn++CozeYuDm:LZ2x3CqNcHdGTLNp+F+8elDm
                                                                                                                                                                                                                              MD5:281F44C8C6F0CFBC293E1FDB8B3EE782
                                                                                                                                                                                                                              SHA1:CB1ABAA337D77C1B8AE1502AE0C8B47027EE7FA7
                                                                                                                                                                                                                              SHA-256:72A115F25006EEF0B5762B7EF5E8644D13EB1A42A8D0FBAEEFAB1E07F7B34C64
                                                                                                                                                                                                                              SHA-512:CBA42B82A2D84872ABB45975852DB340E8DEAF3F9D965191B0E73B8186D1D2A42C7DD4F74EA1C740E9D0F363285D2E637AB71E51D8AD0EDF6FE7A993B53C8FC4
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L....}.e.....................L.......g............@.................................K.C.....................................t(..d.......p.............C.x........... ...8........................... ...@............................................text.............................. ..`.rdata.............................@..@.data...H....@....?..&..............@....rsrc...p.............B.............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\Pictures\T2RIU3FpH6dczIGTG32vuvvE.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):5388160
                                                                                                                                                                                                                              Entropy (8bit):6.884126316660053
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:98304:90NFR6666666666666666666666666666666x666666666666666fwwwwwwwwwwk:WPMki6zio75L3pf3dedO4keCIwkoYbgE
                                                                                                                                                                                                                              MD5:EF199316DF30CB4E02F45F156EC63A9A
                                                                                                                                                                                                                              SHA1:1D01117469FE286CE64CD27DFCBF939DFC7E8F22
                                                                                                                                                                                                                              SHA-256:858F0951DC8F6A15014CE367AD4CD4274D93881AA5D0B101ED524389CD25BE3D
                                                                                                                                                                                                                              SHA-512:F7BACAE2D24E570911358EDE0B56CC0A94713A1CEBC47BBCB9D83AAD3B357F7CFE5494C0CF5BB2972542F469B9538BAE0F9100C3BBA918DE71040E9FED8C5A9E
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...zL.f.........."......Z....M.....|*............@..........................`R......\R...@.....................................P........{L...........R..+... R..7..`...............................8q...............................................text....X.......Z.................. ..`.rdata.......p.......^..............@..@.data....4...P.......8..............@....tls.................V..............@....rsrc....{L......|L..X..............@..@.reloc...7... R..8....Q.............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\Pictures\UIlweOQ5afwPPuh3ds8U6N2a.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):5128704
                                                                                                                                                                                                                              Entropy (8bit):7.955603913831852
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:98304:6eZ9klwlIGDH8gNN0/Y1pQtU4bizh9OjA+upZPdA5Jtfzq/sH0aN2CvV:6eZ9owNeZtU4FBuL1A5Lu/sH0g
                                                                                                                                                                                                                              MD5:A25CDF843E60F609B970AC9414170A7A
                                                                                                                                                                                                                              SHA1:9D0FEE8C64C58D674D383654A4391B8E41D994DC
                                                                                                                                                                                                                              SHA-256:109A993670756619DB430191F217236914602B1AAC6FE093E1B8B1887CC3D9F9
                                                                                                                                                                                                                              SHA-512:E4DC2979919C8ECFB2A09FD78446DB57483E74FF2E3DDCB498D0718590EF0E9021424D6656822921D41B648A36253E9275045B2E4931F94F00C474B73444C6FD
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......f.........."....'.....D........r........@.............................`.......TN...`...................................................f......P..........,............0..D............................r.(....,..@.............^..............................text............................... ..`.rdata..Fp..........................@..@.data...............................@....pdata.......P......................@..@_RDATA.......P......................@..@...N......`......................`..`...N... ..p5.....................`..h.vmp#.V7t....U..................... ..`.vmp#.VP.....^.....................@....vmp#.V<.M.. ^...M.................`..h.reloc..D....0........M.............@..@.rsrc........P.......&M.............@..@................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\Pictures\UZEIOb5AJt4PKuFpMNcUE5kB.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):4396408
                                                                                                                                                                                                                              Entropy (8bit):7.971773908633874
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:98304:KkZ2HRjDxUqNRSWw/fdG0ya8lhbNKCN+OMuHRmn++CozeYuDm:LZ2x3CqNcHdGTLNp+F+8elDm
                                                                                                                                                                                                                              MD5:281F44C8C6F0CFBC293E1FDB8B3EE782
                                                                                                                                                                                                                              SHA1:CB1ABAA337D77C1B8AE1502AE0C8B47027EE7FA7
                                                                                                                                                                                                                              SHA-256:72A115F25006EEF0B5762B7EF5E8644D13EB1A42A8D0FBAEEFAB1E07F7B34C64
                                                                                                                                                                                                                              SHA-512:CBA42B82A2D84872ABB45975852DB340E8DEAF3F9D965191B0E73B8186D1D2A42C7DD4F74EA1C740E9D0F363285D2E637AB71E51D8AD0EDF6FE7A993B53C8FC4
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L....}.e.....................L.......g............@.................................K.C.....................................t(..d.......p.............C.x........... ...8........................... ...@............................................text.............................. ..`.rdata.............................@..@.data...H....@....?..&..............@....rsrc...p.............B.............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\Pictures\VBK0acBbP8jSA9iTV62oCIGo.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):7446
                                                                                                                                                                                                                              Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                              MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                              SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                              SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                              SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                              C:\Users\user\Pictures\VZQMh0fhaUDqSIPOKlnYI2fB.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):462337
                                                                                                                                                                                                                              Entropy (8bit):7.165289332124068
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:6144:52bjG4z4HGToSUG/Xfl+jE2TgEVGuIrsvi6WTQo4PWcvhN/EdLTRLf:5kjGgToSUGP0hxGuPv+MaLlLf
                                                                                                                                                                                                                              MD5:3A4982B7D2352FB3089C01B9F33C25EB
                                                                                                                                                                                                                              SHA1:A87055A316E5E1227C237E0A44A941F98F583419
                                                                                                                                                                                                                              SHA-256:7A0BC7FD96BE7CDA19119D1FEEFA81196225786D98FDDD5E1AB5103C21F6CBC5
                                                                                                                                                                                                                              SHA-512:048675D6AA6F99B6EA6E5577D024A7B314D522C81BA867F2E2013D1839DB0D6C0947A1C67E2E5B905B577EDEB153C16D9ECFF6D386E96D59C4836BE3BE967509
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L......c.....................P.......g............@................................N........................................(..d.................................. ...8........................... ...@............................................text.............................. ..`.rdata.............................@..@.data.......@.......&..............@....rsrc..............................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\Pictures\Vh2fqCjm9jPtwuJrcfbbwxLj.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):4396408
                                                                                                                                                                                                                              Entropy (8bit):7.971773908633874
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:98304:KkZ2HRjDxUqNRSWw/fdG0ya8lhbNKCN+OMuHRmn++CozeYuDm:LZ2x3CqNcHdGTLNp+F+8elDm
                                                                                                                                                                                                                              MD5:281F44C8C6F0CFBC293E1FDB8B3EE782
                                                                                                                                                                                                                              SHA1:CB1ABAA337D77C1B8AE1502AE0C8B47027EE7FA7
                                                                                                                                                                                                                              SHA-256:72A115F25006EEF0B5762B7EF5E8644D13EB1A42A8D0FBAEEFAB1E07F7B34C64
                                                                                                                                                                                                                              SHA-512:CBA42B82A2D84872ABB45975852DB340E8DEAF3F9D965191B0E73B8186D1D2A42C7DD4F74EA1C740E9D0F363285D2E637AB71E51D8AD0EDF6FE7A993B53C8FC4
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L....}.e.....................L.......g............@.................................K.C.....................................t(..d.......p.............C.x........... ...8........................... ...@............................................text.............................. ..`.rdata.............................@..@.data...H....@....?..&..............@....rsrc...p.............B.............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):462337
                                                                                                                                                                                                                              Entropy (8bit):7.165289332124068
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:6144:52bjG4z4HGToSUG/Xfl+jE2TgEVGuIrsvi6WTQo4PWcvhN/EdLTRLf:5kjGgToSUGP0hxGuPv+MaLlLf
                                                                                                                                                                                                                              MD5:3A4982B7D2352FB3089C01B9F33C25EB
                                                                                                                                                                                                                              SHA1:A87055A316E5E1227C237E0A44A941F98F583419
                                                                                                                                                                                                                              SHA-256:7A0BC7FD96BE7CDA19119D1FEEFA81196225786D98FDDD5E1AB5103C21F6CBC5
                                                                                                                                                                                                                              SHA-512:048675D6AA6F99B6EA6E5577D024A7B314D522C81BA867F2E2013D1839DB0D6C0947A1C67E2E5B905B577EDEB153C16D9ECFF6D386E96D59C4836BE3BE967509
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L......c.....................P.......g............@................................N........................................(..d.................................. ...8........................... ...@............................................text.............................. ..`.rdata.............................@..@.data.......@.......&..............@....rsrc..............................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\Pictures\YFF0xQcRAUpBPwLPUp2RM5MU.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):4396408
                                                                                                                                                                                                                              Entropy (8bit):7.971773908633874
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:98304:KkZ2HRjDxUqNRSWw/fdG0ya8lhbNKCN+OMuHRmn++CozeYuDm:LZ2x3CqNcHdGTLNp+F+8elDm
                                                                                                                                                                                                                              MD5:281F44C8C6F0CFBC293E1FDB8B3EE782
                                                                                                                                                                                                                              SHA1:CB1ABAA337D77C1B8AE1502AE0C8B47027EE7FA7
                                                                                                                                                                                                                              SHA-256:72A115F25006EEF0B5762B7EF5E8644D13EB1A42A8D0FBAEEFAB1E07F7B34C64
                                                                                                                                                                                                                              SHA-512:CBA42B82A2D84872ABB45975852DB340E8DEAF3F9D965191B0E73B8186D1D2A42C7DD4F74EA1C740E9D0F363285D2E637AB71E51D8AD0EDF6FE7A993B53C8FC4
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L....}.e.....................L.......g............@.................................K.C.....................................t(..d.......p.............C.x........... ...8........................... ...@............................................text.............................. ..`.rdata.............................@..@.data...H....@....?..&..............@....rsrc...p.............B.............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\Pictures\Yz2gr4IqEnTCH1g642bo4hrO.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):4396408
                                                                                                                                                                                                                              Entropy (8bit):7.971773908633874
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:98304:KkZ2HRjDxUqNRSWw/fdG0ya8lhbNKCN+OMuHRmn++CozeYuDm:LZ2x3CqNcHdGTLNp+F+8elDm
                                                                                                                                                                                                                              MD5:281F44C8C6F0CFBC293E1FDB8B3EE782
                                                                                                                                                                                                                              SHA1:CB1ABAA337D77C1B8AE1502AE0C8B47027EE7FA7
                                                                                                                                                                                                                              SHA-256:72A115F25006EEF0B5762B7EF5E8644D13EB1A42A8D0FBAEEFAB1E07F7B34C64
                                                                                                                                                                                                                              SHA-512:CBA42B82A2D84872ABB45975852DB340E8DEAF3F9D965191B0E73B8186D1D2A42C7DD4F74EA1C740E9D0F363285D2E637AB71E51D8AD0EDF6FE7A993B53C8FC4
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L....}.e.....................L.......g............@.................................K.C.....................................t(..d.......p.............C.x........... ...8........................... ...@............................................text.............................. ..`.rdata.............................@..@.data...H....@....?..&..............@....rsrc...p.............B.............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\Pictures\Zo2cLek54856t9hHiM76hOvA.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):4396408
                                                                                                                                                                                                                              Entropy (8bit):7.971773908633874
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:98304:KkZ2HRjDxUqNRSWw/fdG0ya8lhbNKCN+OMuHRmn++CozeYuDm:LZ2x3CqNcHdGTLNp+F+8elDm
                                                                                                                                                                                                                              MD5:281F44C8C6F0CFBC293E1FDB8B3EE782
                                                                                                                                                                                                                              SHA1:CB1ABAA337D77C1B8AE1502AE0C8B47027EE7FA7
                                                                                                                                                                                                                              SHA-256:72A115F25006EEF0B5762B7EF5E8644D13EB1A42A8D0FBAEEFAB1E07F7B34C64
                                                                                                                                                                                                                              SHA-512:CBA42B82A2D84872ABB45975852DB340E8DEAF3F9D965191B0E73B8186D1D2A42C7DD4F74EA1C740E9D0F363285D2E637AB71E51D8AD0EDF6FE7A993B53C8FC4
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L....}.e.....................L.......g............@.................................K.C.....................................t(..d.......p.............C.x........... ...8........................... ...@............................................text.............................. ..`.rdata.............................@..@.data...H....@....?..&..............@....rsrc...p.............B.............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\Pictures\aTkqzhHOj7NgaroFiyZu2tdl.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):4396408
                                                                                                                                                                                                                              Entropy (8bit):7.971773908633874
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:98304:KkZ2HRjDxUqNRSWw/fdG0ya8lhbNKCN+OMuHRmn++CozeYuDm:LZ2x3CqNcHdGTLNp+F+8elDm
                                                                                                                                                                                                                              MD5:281F44C8C6F0CFBC293E1FDB8B3EE782
                                                                                                                                                                                                                              SHA1:CB1ABAA337D77C1B8AE1502AE0C8B47027EE7FA7
                                                                                                                                                                                                                              SHA-256:72A115F25006EEF0B5762B7EF5E8644D13EB1A42A8D0FBAEEFAB1E07F7B34C64
                                                                                                                                                                                                                              SHA-512:CBA42B82A2D84872ABB45975852DB340E8DEAF3F9D965191B0E73B8186D1D2A42C7DD4F74EA1C740E9D0F363285D2E637AB71E51D8AD0EDF6FE7A993B53C8FC4
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L....}.e.....................L.......g............@.................................K.C.....................................t(..d.......p.............C.x........... ...8........................... ...@............................................text.............................. ..`.rdata.............................@..@.data...H....@....?..&..............@....rsrc...p.............B.............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\Pictures\bxrHv2BMlcULxp3nGjO9PIeE.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):7446
                                                                                                                                                                                                                              Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                              MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                              SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                              SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                              SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                              C:\Users\user\Pictures\c02zgoz7VFjrBiCTIiJdXKzh.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):7446
                                                                                                                                                                                                                              Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                              MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                              SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                              SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                              SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                              C:\Users\user\Pictures\cvz8uTBLcjJDrWiUkH9ou3st.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):4396408
                                                                                                                                                                                                                              Entropy (8bit):7.971773908633874
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:98304:KkZ2HRjDxUqNRSWw/fdG0ya8lhbNKCN+OMuHRmn++CozeYuDm:LZ2x3CqNcHdGTLNp+F+8elDm
                                                                                                                                                                                                                              MD5:281F44C8C6F0CFBC293E1FDB8B3EE782
                                                                                                                                                                                                                              SHA1:CB1ABAA337D77C1B8AE1502AE0C8B47027EE7FA7
                                                                                                                                                                                                                              SHA-256:72A115F25006EEF0B5762B7EF5E8644D13EB1A42A8D0FBAEEFAB1E07F7B34C64
                                                                                                                                                                                                                              SHA-512:CBA42B82A2D84872ABB45975852DB340E8DEAF3F9D965191B0E73B8186D1D2A42C7DD4F74EA1C740E9D0F363285D2E637AB71E51D8AD0EDF6FE7A993B53C8FC4
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L....}.e.....................L.......g............@.................................K.C.....................................t(..d.......p.............C.x........... ...8........................... ...@............................................text.............................. ..`.rdata.............................@..@.data...H....@....?..&..............@....rsrc...p.............B.............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\Pictures\dNJx8I5qbjWEp5UtzqYCiiad.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):7446
                                                                                                                                                                                                                              Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                              MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                              SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                              SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                              SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                              C:\Users\user\Pictures\dTzJTeCvH5akGV8vPoopaG4c.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):7446
                                                                                                                                                                                                                              Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                              MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                              SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                              SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                              SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                              C:\Users\user\Pictures\dhes16NzxQrsGp1NLOpKhYEG.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):5128704
                                                                                                                                                                                                                              Entropy (8bit):7.955603913831852
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:98304:6eZ9klwlIGDH8gNN0/Y1pQtU4bizh9OjA+upZPdA5Jtfzq/sH0aN2CvV:6eZ9owNeZtU4FBuL1A5Lu/sH0g
                                                                                                                                                                                                                              MD5:A25CDF843E60F609B970AC9414170A7A
                                                                                                                                                                                                                              SHA1:9D0FEE8C64C58D674D383654A4391B8E41D994DC
                                                                                                                                                                                                                              SHA-256:109A993670756619DB430191F217236914602B1AAC6FE093E1B8B1887CC3D9F9
                                                                                                                                                                                                                              SHA-512:E4DC2979919C8ECFB2A09FD78446DB57483E74FF2E3DDCB498D0718590EF0E9021424D6656822921D41B648A36253E9275045B2E4931F94F00C474B73444C6FD
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......f.........."....'.....D........r........@.............................`.......TN...`...................................................f......P..........,............0..D............................r.(....,..@.............^..............................text............................... ..`.rdata..Fp..........................@..@.data...............................@....pdata.......P......................@..@_RDATA.......P......................@..@...N......`......................`..`...N... ..p5.....................`..h.vmp#.V7t....U..................... ..`.vmp#.VP.....^.....................@....vmp#.V<.M.. ^...M.................`..h.reloc..D....0........M.............@..@.rsrc........P.......&M.............@..@................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\Pictures\exiuFZUeNjcDMo0MgYdiT1SB.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):5128704
                                                                                                                                                                                                                              Entropy (8bit):7.955603913831852
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:98304:6eZ9klwlIGDH8gNN0/Y1pQtU4bizh9OjA+upZPdA5Jtfzq/sH0aN2CvV:6eZ9owNeZtU4FBuL1A5Lu/sH0g
                                                                                                                                                                                                                              MD5:A25CDF843E60F609B970AC9414170A7A
                                                                                                                                                                                                                              SHA1:9D0FEE8C64C58D674D383654A4391B8E41D994DC
                                                                                                                                                                                                                              SHA-256:109A993670756619DB430191F217236914602B1AAC6FE093E1B8B1887CC3D9F9
                                                                                                                                                                                                                              SHA-512:E4DC2979919C8ECFB2A09FD78446DB57483E74FF2E3DDCB498D0718590EF0E9021424D6656822921D41B648A36253E9275045B2E4931F94F00C474B73444C6FD
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......f.........."....'.....D........r........@.............................`.......TN...`...................................................f......P..........,............0..D............................r.(....,..@.............^..............................text............................... ..`.rdata..Fp..........................@..@.data...............................@....pdata.......P......................@..@_RDATA.......P......................@..@...N......`......................`..`...N... ..p5.....................`..h.vmp#.V7t....U..................... ..`.vmp#.VP.....^.....................@....vmp#.V<.M.. ^...M.................`..h.reloc..D....0........M.............@..@.rsrc........P.......&M.............@..@................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\Pictures\fBaSCDbc3PgwiKtKElJM21wM.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):4396408
                                                                                                                                                                                                                              Entropy (8bit):7.971773908633874
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:98304:KkZ2HRjDxUqNRSWw/fdG0ya8lhbNKCN+OMuHRmn++CozeYuDm:LZ2x3CqNcHdGTLNp+F+8elDm
                                                                                                                                                                                                                              MD5:281F44C8C6F0CFBC293E1FDB8B3EE782
                                                                                                                                                                                                                              SHA1:CB1ABAA337D77C1B8AE1502AE0C8B47027EE7FA7
                                                                                                                                                                                                                              SHA-256:72A115F25006EEF0B5762B7EF5E8644D13EB1A42A8D0FBAEEFAB1E07F7B34C64
                                                                                                                                                                                                                              SHA-512:CBA42B82A2D84872ABB45975852DB340E8DEAF3F9D965191B0E73B8186D1D2A42C7DD4F74EA1C740E9D0F363285D2E637AB71E51D8AD0EDF6FE7A993B53C8FC4
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L....}.e.....................L.......g............@.................................K.C.....................................t(..d.......p.............C.x........... ...8........................... ...@............................................text.............................. ..`.rdata.............................@..@.data...H....@....?..&..............@....rsrc...p.............B.............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\Pictures\gRYJFiU6bkvQhx8faYvTd9ih.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):7446
                                                                                                                                                                                                                              Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                              MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                              SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                              SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                              SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                              C:\Users\user\Pictures\jvm8OUFmYtzvgwR72YgLOVLo.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):7446
                                                                                                                                                                                                                              Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                              MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                              SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                              SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                              SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                              C:\Users\user\Pictures\kBnX25PRDA3FRCf96qRj6qpV.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):5128704
                                                                                                                                                                                                                              Entropy (8bit):7.955603913831852
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:98304:6eZ9klwlIGDH8gNN0/Y1pQtU4bizh9OjA+upZPdA5Jtfzq/sH0aN2CvV:6eZ9owNeZtU4FBuL1A5Lu/sH0g
                                                                                                                                                                                                                              MD5:A25CDF843E60F609B970AC9414170A7A
                                                                                                                                                                                                                              SHA1:9D0FEE8C64C58D674D383654A4391B8E41D994DC
                                                                                                                                                                                                                              SHA-256:109A993670756619DB430191F217236914602B1AAC6FE093E1B8B1887CC3D9F9
                                                                                                                                                                                                                              SHA-512:E4DC2979919C8ECFB2A09FD78446DB57483E74FF2E3DDCB498D0718590EF0E9021424D6656822921D41B648A36253E9275045B2E4931F94F00C474B73444C6FD
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......f.........."....'.....D........r........@.............................`.......TN...`...................................................f......P..........,............0..D............................r.(....,..@.............^..............................text............................... ..`.rdata..Fp..........................@..@.data...............................@....pdata.......P......................@..@_RDATA.......P......................@..@...N......`......................`..`...N... ..p5.....................`..h.vmp#.V7t....U..................... ..`.vmp#.VP.....^.....................@....vmp#.V<.M.. ^...M.................`..h.reloc..D....0........M.............@..@.rsrc........P.......&M.............@..@................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\Pictures\kuRSiZPmKhbW1guMqYXCvrAu.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):5388160
                                                                                                                                                                                                                              Entropy (8bit):6.884125378117049
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:98304:/0NFR6666666666666666666666666666666x666666666666666fwwwwwwwwwwy:MPMki6zio75L3pf3dedO4keCIwkoYbgS
                                                                                                                                                                                                                              MD5:B1D3A17EDD5DACC6B98BEC740C1B4A2F
                                                                                                                                                                                                                              SHA1:9E059C6CE6AC7E32D848B29026C34A5D0C1599F0
                                                                                                                                                                                                                              SHA-256:92A81D1CF0DADC90DEA8BD297EAA153A755B3B972D77D141E39C03F76C2D8B28
                                                                                                                                                                                                                              SHA-512:3F9914FE9C10AB719814BEC9625D2BF3F0A564F814FF6AFAC082BEB594D14831640BB2E59A3CA8B1E7F3E9AAB26AA4A416D25C11A752858202B02625995BD505
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...zL.f.........."......Z....M.....|*............@..........................`R.......S...@.....................................P........{L...........R..+... R..7..`...............................8q...............................................text....X.......Z.................. ..`.rdata.......p.......^..............@..@.data....4...P.......8..............@....tls.................V..............@....rsrc....{L......|L..X..............@..@.reloc...7... R..8....Q.............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\Pictures\mm4Q31XfpYKjbn6ceSwXhER9.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):462337
                                                                                                                                                                                                                              Entropy (8bit):7.165289332124068
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:6144:52bjG4z4HGToSUG/Xfl+jE2TgEVGuIrsvi6WTQo4PWcvhN/EdLTRLf:5kjGgToSUGP0hxGuPv+MaLlLf
                                                                                                                                                                                                                              MD5:3A4982B7D2352FB3089C01B9F33C25EB
                                                                                                                                                                                                                              SHA1:A87055A316E5E1227C237E0A44A941F98F583419
                                                                                                                                                                                                                              SHA-256:7A0BC7FD96BE7CDA19119D1FEEFA81196225786D98FDDD5E1AB5103C21F6CBC5
                                                                                                                                                                                                                              SHA-512:048675D6AA6F99B6EA6E5577D024A7B314D522C81BA867F2E2013D1839DB0D6C0947A1C67E2E5B905B577EDEB153C16D9ECFF6D386E96D59C4836BE3BE967509
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L......c.....................P.......g............@................................N........................................(..d.................................. ...8........................... ...@............................................text.............................. ..`.rdata.............................@..@.data.......@.......&..............@....rsrc..............................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\Pictures\puSUyQPbhGQYc8ea6l8rcmDp.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):5388160
                                                                                                                                                                                                                              Entropy (8bit):6.884126544344988
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:98304:d0NFR6666666666666666666666666666666x666666666666666fwwwwwwwwwwD:2PMki6zio75L3pf3dedO4keCIwkoYbgj
                                                                                                                                                                                                                              MD5:69E1ABABF2EDDB10050CF8F77602BBE5
                                                                                                                                                                                                                              SHA1:FD197C40FCDCB2585295FB1E1A3E7D81B04C65B1
                                                                                                                                                                                                                              SHA-256:7F6DAE24C6A7439C6894CA16A7376D87DE4CB64BE83CDBBE24E78AC7B9F9D749
                                                                                                                                                                                                                              SHA-512:42499B0E2E2BFAB62374142BC11A664B24ECC160D2980510B17123F139C8F91DE504F39BD80BB244EC0365A200D3FAFDCEBA0077A69D774EC7C4FAEC83A14236
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...zL.f.........."......Z....M.....|*............@..........................`R.....MHR...@.....................................P........{L...........R..+... R..7..`...............................8q...............................................text....X.......Z.................. ..`.rdata.......p.......^..............@..@.data....4...P.......8..............@....tls.................V..............@....rsrc....{L......|L..X..............@..@.reloc...7... R..8....Q.............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\Pictures\remGzM3ucI0rwNvHqGHEYSnk.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):4396408
                                                                                                                                                                                                                              Entropy (8bit):7.971773908633874
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:98304:KkZ2HRjDxUqNRSWw/fdG0ya8lhbNKCN+OMuHRmn++CozeYuDm:LZ2x3CqNcHdGTLNp+F+8elDm
                                                                                                                                                                                                                              MD5:281F44C8C6F0CFBC293E1FDB8B3EE782
                                                                                                                                                                                                                              SHA1:CB1ABAA337D77C1B8AE1502AE0C8B47027EE7FA7
                                                                                                                                                                                                                              SHA-256:72A115F25006EEF0B5762B7EF5E8644D13EB1A42A8D0FBAEEFAB1E07F7B34C64
                                                                                                                                                                                                                              SHA-512:CBA42B82A2D84872ABB45975852DB340E8DEAF3F9D965191B0E73B8186D1D2A42C7DD4F74EA1C740E9D0F363285D2E637AB71E51D8AD0EDF6FE7A993B53C8FC4
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L....}.e.....................L.......g............@.................................K.C.....................................t(..d.......p.............C.x........... ...8........................... ...@............................................text.............................. ..`.rdata.............................@..@.data...H....@....?..&..............@....rsrc...p.............B.............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\Pictures\s9S2YPHvXa7oseKyop7fDJGM.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):5388160
                                                                                                                                                                                                                              Entropy (8bit):6.884125904829497
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:98304:y0NFR6666666666666666666666666666666x666666666666666fwwwwwwwwww6:HPMki6zio75L3pf3dedO4keCIwkoYbga
                                                                                                                                                                                                                              MD5:611A07F1F59CB67D20A7609D6444442D
                                                                                                                                                                                                                              SHA1:31B42E9431BA12416B2336E83BD0730D35790060
                                                                                                                                                                                                                              SHA-256:854BD34503D6676B526FF736B40FB3A65A2C089C66D7728BCA417E699440A049
                                                                                                                                                                                                                              SHA-512:D948E425E7BDCDC5C2AB7C0D7D60F133A964BA90F58DEDD5060A097F25D44B87DC3E5CD0DF9DAB378D46BC11AC206830F0137EA15A8CC17F99A4AE22A2B13055
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...zL.f.........."......Z....M.....|*............@..........................`R.....?.R...@.....................................P........{L...........R..+... R..7..`...............................8q...............................................text....X.......Z.................. ..`.rdata.......p.......^..............@..@.data....4...P.......8..............@....tls.................V..............@....rsrc....{L......|L..X..............@..@.reloc...7... R..8....Q.............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\Pictures\syLcQZGPHHUJ3M0wbg0XxQZf.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):5388160
                                                                                                                                                                                                                              Entropy (8bit):6.884124407997752
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:98304:k0NFR6666666666666666666666666666666x666666666666666fwwwwwwwwwww:lPMki6zio75L3pf3dedO4keCIwkoYbgQ
                                                                                                                                                                                                                              MD5:C2F0D0D1B405D1F1476B802BE5DD2ED3
                                                                                                                                                                                                                              SHA1:CFC0651E0B9000018D138442324FB2D4555075E7
                                                                                                                                                                                                                              SHA-256:36A67B04FA544E6C6E2F33A5A837050136ED30360AF0FC3F96868D14F717487E
                                                                                                                                                                                                                              SHA-512:5C930F51A072936B7817ABC2A896DD06961422709D2530C35330B6F79FD0926927AE90BA2F98B6F4CBB8237457473EAF3D5CD32E7943D44CEF2DE9AD366B9B6C
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...zL.f.........."......Z....M.....|*............@..........................`R.......R...@.....................................P........{L...........R..+... R..7..`...............................8q...............................................text....X.......Z.................. ..`.rdata.......p.......^..............@..@.data....4...P.......8..............@....tls.................V..............@....rsrc....{L......|L..X..............@..@.reloc...7... R..8....Q.............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\Pictures\u7khEnv04mT2EDLzgGnRMGoz.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):462337
                                                                                                                                                                                                                              Entropy (8bit):7.165289332124068
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:6144:52bjG4z4HGToSUG/Xfl+jE2TgEVGuIrsvi6WTQo4PWcvhN/EdLTRLf:5kjGgToSUGP0hxGuPv+MaLlLf
                                                                                                                                                                                                                              MD5:3A4982B7D2352FB3089C01B9F33C25EB
                                                                                                                                                                                                                              SHA1:A87055A316E5E1227C237E0A44A941F98F583419
                                                                                                                                                                                                                              SHA-256:7A0BC7FD96BE7CDA19119D1FEEFA81196225786D98FDDD5E1AB5103C21F6CBC5
                                                                                                                                                                                                                              SHA-512:048675D6AA6F99B6EA6E5577D024A7B314D522C81BA867F2E2013D1839DB0D6C0947A1C67E2E5B905B577EDEB153C16D9ECFF6D386E96D59C4836BE3BE967509
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L......c.....................P.......g............@................................N........................................(..d.................................. ...8........................... ...@............................................text.............................. ..`.rdata.............................@..@.data.......@.......&..............@....rsrc..............................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\Pictures\v2MiP1iSJrMhmInOYy5QW224.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):462337
                                                                                                                                                                                                                              Entropy (8bit):7.165289332124068
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:6144:52bjG4z4HGToSUG/Xfl+jE2TgEVGuIrsvi6WTQo4PWcvhN/EdLTRLf:5kjGgToSUGP0hxGuPv+MaLlLf
                                                                                                                                                                                                                              MD5:3A4982B7D2352FB3089C01B9F33C25EB
                                                                                                                                                                                                                              SHA1:A87055A316E5E1227C237E0A44A941F98F583419
                                                                                                                                                                                                                              SHA-256:7A0BC7FD96BE7CDA19119D1FEEFA81196225786D98FDDD5E1AB5103C21F6CBC5
                                                                                                                                                                                                                              SHA-512:048675D6AA6F99B6EA6E5577D024A7B314D522C81BA867F2E2013D1839DB0D6C0947A1C67E2E5B905B577EDEB153C16D9ECFF6D386E96D59C4836BE3BE967509
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L......c.....................P.......g............@................................N........................................(..d.................................. ...8........................... ...@............................................text.............................. ..`.rdata.............................@..@.data.......@.......&..............@....rsrc..............................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\Pictures\wjaGPzkDQjpdcbjBR9AwSFKW.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):6802728
                                                                                                                                                                                                                              Entropy (8bit):7.996235974818118
                                                                                                                                                                                                                              Encrypted:true
                                                                                                                                                                                                                              SSDEEP:196608:91OXbE7giOz8u70OteFI7tfL6TCdPeMLN3IA:3OIBOUIECdVLN4A
                                                                                                                                                                                                                              MD5:5D5DA0738299D8893B79A6C926765E5F
                                                                                                                                                                                                                              SHA1:B05C2CFD30CA1C163CB829B7E7E5EA2D6C57D1D1
                                                                                                                                                                                                                              SHA-256:53C80BEE05D28FE65AB0AE6459753FE7B804C0B68B85FAAF828576687EF28CA3
                                                                                                                                                                                                                              SHA-512:D9FFFE943131E71762F5E2E1AD3D23053069F0F028054BE9EC2C8491A6812ADADACBF099AB8FA79CA9916CEDA14CCAEDFE4A0E1E5235871A97145EF77D7B0B26
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........W..s...s...s...}...s...y..s...,...s...r.!.s.......s...x..s.......s.......s.^.u...s.Rich..s.........PE..L....S.L.............................K............@.............................................................................d....p..`............................................................................................................text.............................. ..`.rdata...D.......F..................@..@.data...HZ.......2..................@....sxdata......`......................@....rsrc...`....p......................@..@................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\Pictures\ySa0tmdKXLMzZNFqxzPk3yl0.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):5388160
                                                                                                                                                                                                                              Entropy (8bit):6.884127347307364
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:98304:z0NFR6666666666666666666666666666666x666666666666666fwwwwwwwwww1:IPMki6zio75L3pf3dedO4keCIwkoYbgV
                                                                                                                                                                                                                              MD5:FAA5E9B03992A4E6148B799082100602
                                                                                                                                                                                                                              SHA1:6A7F81280293B1EE54DFA9E4CDB187DE441A4897
                                                                                                                                                                                                                              SHA-256:55067872C8F4490FBD427FBF6209B43E0F22A59AAF2A60F7733E2B1E51AFACB7
                                                                                                                                                                                                                              SHA-512:E1671D70469A13216A4EAF36A3752B537A66515A67FFA5CAA4CCBB966F54F1227FAD52115C32C26400CC4C4FC0DDAB47802DA463FA8E70BF1C1BB3B99CB6EE1D
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...zL.f.........."......Z....M.....|*............@..........................`R......\R...@.....................................P........{L...........R..+... R..7..`...............................8q...............................................text....X.......Z.................. ..`.rdata.......p.......^..............@..@.data....4...P.......8..............@....tls.................V..............@....rsrc....{L......|L..X..............@..@.reloc...7... R..8....Q.............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\Pictures\z2yKWzT0GXgmaQHim8qSwTt8.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):4396408
                                                                                                                                                                                                                              Entropy (8bit):7.971773908633874
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:98304:KkZ2HRjDxUqNRSWw/fdG0ya8lhbNKCN+OMuHRmn++CozeYuDm:LZ2x3CqNcHdGTLNp+F+8elDm
                                                                                                                                                                                                                              MD5:281F44C8C6F0CFBC293E1FDB8B3EE782
                                                                                                                                                                                                                              SHA1:CB1ABAA337D77C1B8AE1502AE0C8B47027EE7FA7
                                                                                                                                                                                                                              SHA-256:72A115F25006EEF0B5762B7EF5E8644D13EB1A42A8D0FBAEEFAB1E07F7B34C64
                                                                                                                                                                                                                              SHA-512:CBA42B82A2D84872ABB45975852DB340E8DEAF3F9D965191B0E73B8186D1D2A42C7DD4F74EA1C740E9D0F363285D2E637AB71E51D8AD0EDF6FE7A993B53C8FC4
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L....}.e.....................L.......g............@.................................K.C.....................................t(..d.......p.............C.x........... ...8........................... ...@............................................text.............................. ..`.rdata.............................@..@.data...H....@....?..&..............@....rsrc...p.............B.............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\Pictures\zMgiNzEE9vHMTa7pUx4El30p.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):5128704
                                                                                                                                                                                                                              Entropy (8bit):7.955603913831852
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:98304:6eZ9klwlIGDH8gNN0/Y1pQtU4bizh9OjA+upZPdA5Jtfzq/sH0aN2CvV:6eZ9owNeZtU4FBuL1A5Lu/sH0g
                                                                                                                                                                                                                              MD5:A25CDF843E60F609B970AC9414170A7A
                                                                                                                                                                                                                              SHA1:9D0FEE8C64C58D674D383654A4391B8E41D994DC
                                                                                                                                                                                                                              SHA-256:109A993670756619DB430191F217236914602B1AAC6FE093E1B8B1887CC3D9F9
                                                                                                                                                                                                                              SHA-512:E4DC2979919C8ECFB2A09FD78446DB57483E74FF2E3DDCB498D0718590EF0E9021424D6656822921D41B648A36253E9275045B2E4931F94F00C474B73444C6FD
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......f.........."....'.....D........r........@.............................`.......TN...`...................................................f......P..........,............0..D............................r.(....,..@.............^..............................text............................... ..`.rdata..Fp..........................@..@.data...............................@....pdata.......P......................@..@_RDATA.......P......................@..@...N......`......................`..`...N... ..p5.....................`..h.vmp#.V7t....U..................... ..`.vmp#.VP.....^.....................@....vmp#.V<.M.. ^...M.................`..h.reloc..D....0........M.............@..@.rsrc........P.......&M.............@..@................................................................................................................................

                                                                                                                                                                                                                              C:\Windows\System32\GroupPolicy\Machine\Registry.pol

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exe
                                                                                                                                                                                                                              File Type:RAGE Package Format (RPF),
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):1926
                                                                                                                                                                                                                              Entropy (8bit):3.310422749310586
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:24:wSLevFeSLe5BeSwbv5qweSw4q7j/eScdepWDbVeScden2W8eScdemevtmeScdeRg:KFIBkbv5qwk4qfKV2QxVCZ
                                                                                                                                                                                                                              MD5:CDFD60E717A44C2349B553E011958B85
                                                                                                                                                                                                                              SHA1:431136102A6FB52A00E416964D4C27089155F73B
                                                                                                                                                                                                                              SHA-256:0EE08DA4DA3E4133E1809099FC646468E7156644C9A772F704B80E338015211F
                                                                                                                                                                                                                              SHA-512:DFEA0D0B3779059E64088EA9A13CD6B076D76C64DB99FA82E6612386CAE5CDA94A790318207470045EF51F0A410B400726BA28CB6ECB6972F081C532E558D6A8
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:PReg....[.S.O.F.T.W.A.R.E.\.P.o.l.i.c.i.e.s.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r...;.D.i.s.a.b.l.e.A.n.t.i.S.p.y.w.a.r.e...;.....;.....;.....].[.S.O.F.T.W.A.R.E.\.P.o.l.i.c.i.e.s.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r...;.D.i.s.a.b.l.e.R.o.u.t.i.n.e.l.y.T.a.k.i.n.g.A.c.t.i.o.n...;.....;.....;.....].[.S.O.F.T.W.A.R.E.\.P.o.l.i.c.i.e.s.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.E.x.c.l.u.s.i.o.n.s...;.E.x.c.l.u.s.i.o.n.s._.E.x.t.e.n.s.i.o.n.s...;.....;.....;.....].[.S.O.F.T.W.A.R.E.\.P.o.l.i.c.i.e.s.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.E.x.c.l.u.s.i.o.n.s.\.E.x.t.e.n.s.i.o.n.s...;.e.x.e...;.....;.....;.....].[.S.O.F.T.W.A.R.E.\.P.o.l.i.c.i.e.s.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.R.e.a.l.-.T.i.m.e. .P.r.o.t.e.c.t.i.o.n...;.D.i.s.a.b.l.e.B.e.h.a.v.i.o.r.M.o.n.i.t.o.r.i.n.g...;.....;.....;.....].[.S.O.F.T.W.A.R.E.\.P.o.l.i.c.i.e.s.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.R.e.a.l.-.T.i.m.e. .P.

                                                                                                                                                                                                                              C:\Windows\System32\GroupPolicy\gpt.ini

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exe
                                                                                                                                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):127
                                                                                                                                                                                                                              Entropy (8bit):5.080093624462795
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:1ELGUAgKLMzY+eWgTckbnnvjiBIFVTjSUgf4orFLsUov:1WsMzYHxbnvEcvgqv
                                                                                                                                                                                                                              MD5:8EF9853D1881C5FE4D681BFB31282A01
                                                                                                                                                                                                                              SHA1:A05609065520E4B4E553784C566430AD9736F19F
                                                                                                                                                                                                                              SHA-256:9228F13D82C3DC96B957769F6081E5BAC53CFFCA4FFDE0BA1E102D9968F184A2
                                                                                                                                                                                                                              SHA-512:5DDEE931A08CFEA5BB9D1C36355D47155A24D617C2A11D08364FFC54E593064011DEE4FEA8AC5B67029CAB515D3071F0BA0422BB76AF492A3115272BA8FEB005
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:[General]..gPCMachineExtensionNames=[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{8FC0B734-A0E1-11D1-A7D3-0000F87571E3}]..Version=1..

                                                                                                                                                                                                                              C:\Windows\appcompat\Programs\Amcache.hve

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                                                              File Type:MS Windows registry file, NT/2000 or above
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):1835008
                                                                                                                                                                                                                              Entropy (8bit):4.466208936751544
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:6144:8IXfpi67eLPU9skLmb0b47WSPKaJG8nAgejZMMhA2gX4WABl0uNMdwBCswSba:BXD947WlLZMM6YFHO+a
                                                                                                                                                                                                                              MD5:6065478D390B98452BD07343C9965ADD
                                                                                                                                                                                                                              SHA1:E2BAD0AA938012302A4E5C772446086C5F6F2153
                                                                                                                                                                                                                              SHA-256:6A4C0A5DDE6E53975C56CF0BC5382EA7EE7F844727325597C00383605D3AEF6D
                                                                                                                                                                                                                              SHA-512:7556C93AB75C0E4FB9081F1C1CEAE44752CEC735AE867B87AAB3BFD1B0667EDA59326B26D82BA488FFEFF5CCBC1DA338C90E5675587CD34740C1761EA1D489F1
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmR*.`(................................................................................................................................................................................................................................................................................................................................................!.T........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              Static File Info

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              File type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                              Entropy (8bit):7.6248818765384865
                                                                                                                                                                                                                              TrID:
                                                                                                                                                                                                                              • Win64 Executable GUI (202006/5) 92.65%
                                                                                                                                                                                                                              • Win64 Executable (generic) (12005/4) 5.51%
                                                                                                                                                                                                                              • Generic Win/DOS Executable (2004/3) 0.92%
                                                                                                                                                                                                                              • DOS Executable Generic (2002/1) 0.92%
                                                                                                                                                                                                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                                                              File name:SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exe
                                                                                                                                                                                                                              File size:570'320 bytes
                                                                                                                                                                                                                              MD5:e1d8325b086f91769120381b78626e2e
                                                                                                                                                                                                                              SHA1:0eb6827878445d3e3e584b7f08067a7a4dc9e618
                                                                                                                                                                                                                              SHA256:b925abb193e7003f4a692064148ffe7840096022a44f4d5ae4c0abb59a287934
                                                                                                                                                                                                                              SHA512:c8c0b424c2ed7ee598997bdc0b0d2099b650a280903716891b0eaa340acf556c0642d921fcb7f654387a4a1f1ec4a32feaf8d872b51ca482a977f11e2974072c
                                                                                                                                                                                                                              SSDEEP:12288:vWcj324ri1mvJnrOj1fiTvwG/APkmUETuegWaR0j:vWcj/rxvJnCj1aTviPkmZLJaR0j
                                                                                                                                                                                                                              TLSH:80C4F121B3DC4A2BCBAF03BDA47814211BB0E257554BCB5F5D8498DE1C8BB855F22B93
                                                                                                                                                                                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......f.........."...0.................. ....@...... .......................`......W.....`................................

                                                                                                                                                                                                                              File Icon

                                                                                                                                                                                                                              Icon Hash:90cececece8e8eb0

                                                                                                                                                                                                                              Static PE Info

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Entrypoint:0x400000
                                                                                                                                                                                                                              Entrypoint Section:
                                                                                                                                                                                                                              Digitally signed:true
                                                                                                                                                                                                                              Imagebase:0x400000
                                                                                                                                                                                                                              Subsystem:windows gui
                                                                                                                                                                                                                              Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                                                                                                                                                                              DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                                                                                                              Time Stamp:0x661FA6AD [Wed Apr 17 10:38:37 2024 UTC]
                                                                                                                                                                                                                              TLS Callbacks:
                                                                                                                                                                                                                              CLR (.Net) Version:
                                                                                                                                                                                                                              OS Version Major:4
                                                                                                                                                                                                                              OS Version Minor:0
                                                                                                                                                                                                                              File Version Major:4
                                                                                                                                                                                                                              File Version Minor:0
                                                                                                                                                                                                                              Subsystem Version Major:4
                                                                                                                                                                                                                              Subsystem Version Minor:0
                                                                                                                                                                                                                              Import Hash:

                                                                                                                                                                                                                              Authenticode Signature

                                                                                                                                                                                                                              Signature Valid:false
                                                                                                                                                                                                                              Signature Issuer:C=US, S=Washington, L=Redmond, OU=Microsoft Corporation, O=Microsoft Corporation, CN=Microsoft Code Signing PCA 2011
                                                                                                                                                                                                                              Signature Validation Error:A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
                                                                                                                                                                                                                              Error Number:-2146762487
                                                                                                                                                                                                                              Not Before, Not After
                                                                                                                                                                                                                              • 17/04/2024 12:58:54 17/04/2025 12:58:54
                                                                                                                                                                                                                              Subject Chain
                                                                                                                                                                                                                              • C=US, S=Washington, L=Redmond, OU=Microsoft Corporation, O=Microsoft Corporation, CN=Microsoft Code Signing PCA 2011
                                                                                                                                                                                                                              Version:3
                                                                                                                                                                                                                              Thumbprint MD5:0C9100B87B48188A5B9DE050DF4E3813
                                                                                                                                                                                                                              Thumbprint SHA-1:489041866D9D09C277FFD4FCD82FDB39453ABF1E
                                                                                                                                                                                                                              Thumbprint SHA-256:A20268991ADEB27FD9CCF3A4E4ED4684BC4ABAF20802056BBEB6976C35075C6B
                                                                                                                                                                                                                              Serial:00CD8F27F53C159B486BE6F49AD6BA7FAE

                                                                                                                                                                                                                              Entrypoint Preview

                                                                                                                                                                                                                              Instruction
                                                                                                                                                                                                                              dec ebp
                                                                                                                                                                                                                              pop edx
                                                                                                                                                                                                                              nop
                                                                                                                                                                                                                              add byte ptr [ebx], al
                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                              add byte ptr [eax+eax], al
                                                                                                                                                                                                                              add byte ptr [eax], al

                                                                                                                                                                                                                              Data Directories

                                                                                                                                                                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x00x0
                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x340000xb1c.rsrc
                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x89af00x18e0
                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x320120x1c.text
                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20000x48.text
                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                                              Sections

                                                                                                                                                                                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                                              .text0x20000x300b80x302008e365c1dd04669b4d558fd8e896e5181False0.4225700081168831data5.998151303617744IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                              .rsrc0x340000xb1c0xc0044ef1cd16dd1c79a6949328325e98022False0.2835286458333333data4.2976721856944415IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                                                                                                                              Resources

                                                                                                                                                                                                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                                                              RT_VERSION0x340b80x43cdata0.4806273062730627
                                                                                                                                                                                                                              RT_VERSION0x344f40x43cdataEnglishUnited States0.48247232472324725
                                                                                                                                                                                                                              RT_MANIFEST0x349300x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                                                                                                                                                                              Possible Origin

                                                                                                                                                                                                                              Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                                                                              EnglishUnited States

                                                                                                                                                                                                                              Network Behavior

                                                                                                                                                                                                                              Skipped network analysis since the amount of network traffic is too extensive. Please download the PCAP and check manually.

                                                                                                                                                                                                                              Statistics

                                                                                                                                                                                                                              CPU Usage

                                                                                                                                                                                                                              Click to jump to process

                                                                                                                                                                                                                              Memory Usage

                                                                                                                                                                                                                              Click to jump to process

                                                                                                                                                                                                                              High Level Behavior Distribution

                                                                                                                                                                                                                              Click to dive into process behavior distribution

                                                                                                                                                                                                                              Behavior

                                                                                                                                                                                                                              Click to jump to process

                                                                                                                                                                                                                              System Behavior

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:0
                                                                                                                                                                                                                              Start time:02:35:54
                                                                                                                                                                                                                              Start date:18/04/2024
                                                                                                                                                                                                                              Path:C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exe
                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                              Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exe"
                                                                                                                                                                                                                              Imagebase:0x1e7b5d40000
                                                                                                                                                                                                                              File size:570'320 bytes
                                                                                                                                                                                                                              MD5 hash:E1D8325B086F91769120381B78626E2E
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Yara matches:
                                                                                                                                                                                                                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.2411331877.000001E7B80B0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                              Reputation:low
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:1
                                                                                                                                                                                                                              Start time:02:35:55
                                                                                                                                                                                                                              Start date:18/04/2024
                                                                                                                                                                                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exe" -Force
                                                                                                                                                                                                                              Imagebase:0x7ff788560000
                                                                                                                                                                                                                              File size:452'608 bytes
                                                                                                                                                                                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Reputation:high
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:2
                                                                                                                                                                                                                              Start time:02:35:55
                                                                                                                                                                                                                              Start date:18/04/2024
                                                                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                              Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Reputation:high
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:3
                                                                                                                                                                                                                              Start time:02:35:55
                                                                                                                                                                                                                              Start date:18/04/2024
                                                                                                                                                                                                                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
                                                                                                                                                                                                                              Imagebase:0xde0000
                                                                                                                                                                                                                              File size:108'664 bytes
                                                                                                                                                                                                                              MD5 hash:914F728C04D3EDDD5FBA59420E74E56B
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Reputation:high
                                                                                                                                                                                                                              Has exited:false

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:4
                                                                                                                                                                                                                              Start time:02:35:55
                                                                                                                                                                                                                              Start date:18/04/2024
                                                                                                                                                                                                                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                              Wow64 process (32bit):
                                                                                                                                                                                                                              Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
                                                                                                                                                                                                                              Imagebase:
                                                                                                                                                                                                                              File size:108'664 bytes
                                                                                                                                                                                                                              MD5 hash:914F728C04D3EDDD5FBA59420E74E56B
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Reputation:high
                                                                                                                                                                                                                              Has exited:false

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:5
                                                                                                                                                                                                                              Start time:02:35:55
                                                                                                                                                                                                                              Start date:18/04/2024
                                                                                                                                                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                              Commandline:C:\Windows\System32\svchost.exe -k WerSvcGroup
                                                                                                                                                                                                                              Imagebase:0x7ff6eef20000
                                                                                                                                                                                                                              File size:55'320 bytes
                                                                                                                                                                                                                              MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Reputation:high
                                                                                                                                                                                                                              Has exited:false

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:6
                                                                                                                                                                                                                              Start time:02:35:56
                                                                                                                                                                                                                              Start date:18/04/2024
                                                                                                                                                                                                                              Path:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                              Commandline:C:\Windows\system32\WerFault.exe -pss -s 208 -p 7412 -ip 7412
                                                                                                                                                                                                                              Imagebase:0x7ff617fe0000
                                                                                                                                                                                                                              File size:570'736 bytes
                                                                                                                                                                                                                              MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Reputation:high
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:7
                                                                                                                                                                                                                              Start time:02:35:56
                                                                                                                                                                                                                              Start date:18/04/2024
                                                                                                                                                                                                                              Path:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                              Commandline:C:\Windows\system32\WerFault.exe -u -p 7412 -s 1156
                                                                                                                                                                                                                              Imagebase:0x7ff617fe0000
                                                                                                                                                                                                                              File size:570'736 bytes
                                                                                                                                                                                                                              MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Reputation:high
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:8
                                                                                                                                                                                                                              Start time:02:35:58
                                                                                                                                                                                                                              Start date:18/04/2024
                                                                                                                                                                                                                              Path:C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exe
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:"C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exe"
                                                                                                                                                                                                                              Imagebase:0x400000
                                                                                                                                                                                                                              File size:462'337 bytes
                                                                                                                                                                                                                              MD5 hash:3A4982B7D2352FB3089C01B9F33C25EB
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Yara matches:
                                                                                                                                                                                                                              • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000008.00000002.3336518839.0000000002F1E000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                              • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000008.00000003.2351558121.000000000634A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                              • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000008.00000002.3337248481.00000000049A0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                              Reputation:low
                                                                                                                                                                                                                              Has exited:false

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:9
                                                                                                                                                                                                                              Start time:02:35:59
                                                                                                                                                                                                                              Start date:18/04/2024
                                                                                                                                                                                                                              Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                              Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                                                                                                                                                              Imagebase:0x7ff693ab0000
                                                                                                                                                                                                                              File size:496'640 bytes
                                                                                                                                                                                                                              MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Reputation:high
                                                                                                                                                                                                                              Has exited:false

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:10
                                                                                                                                                                                                                              Start time:02:35:59
                                                                                                                                                                                                                              Start date:18/04/2024
                                                                                                                                                                                                                              Path:C:\Users\user\Pictures\JIsbjewlnghreiCB15kllzTk.exe
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:"C:\Users\user\Pictures\JIsbjewlnghreiCB15kllzTk.exe"
                                                                                                                                                                                                                              Imagebase:0x400000
                                                                                                                                                                                                                              File size:4'396'408 bytes
                                                                                                                                                                                                                              MD5 hash:281F44C8C6F0CFBC293E1FDB8B3EE782
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Yara matches:
                                                                                                                                                                                                                              • Rule: JoeSecurity_Glupteba, Description: Yara detected Glupteba, Source: 0000000A.00000002.3312022979.0000000000843000.00000040.00000001.01000000.00000008.sdmp, Author: Joe Security
                                                                                                                                                                                                                              Reputation:low
                                                                                                                                                                                                                              Has exited:false

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:11
                                                                                                                                                                                                                              Start time:02:35:59
                                                                                                                                                                                                                              Start date:18/04/2024
                                                                                                                                                                                                                              Path:C:\Users\user\Pictures\7ifrWkUACu1QmnINWqs0eu9h.exe
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:"C:\Users\user\Pictures\7ifrWkUACu1QmnINWqs0eu9h.exe"
                                                                                                                                                                                                                              Imagebase:0x400000
                                                                                                                                                                                                                              File size:4'396'408 bytes
                                                                                                                                                                                                                              MD5 hash:281F44C8C6F0CFBC293E1FDB8B3EE782
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Reputation:low
                                                                                                                                                                                                                              Has exited:false

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:12
                                                                                                                                                                                                                              Start time:02:36:01
                                                                                                                                                                                                                              Start date:18/04/2024
                                                                                                                                                                                                                              Path:C:\Users\user\Pictures\T2RIU3FpH6dczIGTG32vuvvE.exe
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:"C:\Users\user\Pictures\T2RIU3FpH6dczIGTG32vuvvE.exe" --silent --allusers=0
                                                                                                                                                                                                                              Imagebase:0xf80000
                                                                                                                                                                                                                              File size:5'388'160 bytes
                                                                                                                                                                                                                              MD5 hash:EF199316DF30CB4E02F45F156EC63A9A
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Reputation:low
                                                                                                                                                                                                                              Has exited:false

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:13
                                                                                                                                                                                                                              Start time:02:36:01
                                                                                                                                                                                                                              Start date:18/04/2024
                                                                                                                                                                                                                              Path:C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exe
                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                              Commandline:"C:\Users\user\Pictures\KI5P6OyhHMwNaNA4w0xtd3UY.exe"
                                                                                                                                                                                                                              Imagebase:0x7ff79c960000
                                                                                                                                                                                                                              File size:5'128'704 bytes
                                                                                                                                                                                                                              MD5 hash:A25CDF843E60F609B970AC9414170A7A
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Reputation:low
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:14
                                                                                                                                                                                                                              Start time:02:36:02
                                                                                                                                                                                                                              Start date:18/04/2024
                                                                                                                                                                                                                              Path:C:\Users\user\Pictures\T2RIU3FpH6dczIGTG32vuvvE.exe
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:C:\Users\user\Pictures\T2RIU3FpH6dczIGTG32vuvvE.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x298,0x29c,0x2a0,0x274,0x2bc,0x6c60e1d0,0x6c60e1dc,0x6c60e1e8
                                                                                                                                                                                                                              Imagebase:0xf80000
                                                                                                                                                                                                                              File size:5'388'160 bytes
                                                                                                                                                                                                                              MD5 hash:EF199316DF30CB4E02F45F156EC63A9A
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Reputation:low
                                                                                                                                                                                                                              Has exited:false

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:15
                                                                                                                                                                                                                              Start time:02:36:06
                                                                                                                                                                                                                              Start date:18/04/2024
                                                                                                                                                                                                                              Path:C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exe
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:"C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exe"
                                                                                                                                                                                                                              Imagebase:0x400000
                                                                                                                                                                                                                              File size:462'337 bytes
                                                                                                                                                                                                                              MD5 hash:3A4982B7D2352FB3089C01B9F33C25EB
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Yara matches:
                                                                                                                                                                                                                              • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 0000000F.00000002.3368165895.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                              • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 0000000F.00000002.3375966593.0000000002FAE000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                              Reputation:low
                                                                                                                                                                                                                              Has exited:false

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:16
                                                                                                                                                                                                                              Start time:02:36:06
                                                                                                                                                                                                                              Start date:18/04/2024
                                                                                                                                                                                                                              Path:C:\Users\user\Pictures\QHuPF3k4no0JL9DdGqDYtkCG.exe
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:"C:\Users\user\Pictures\QHuPF3k4no0JL9DdGqDYtkCG.exe"
                                                                                                                                                                                                                              Imagebase:0x400000
                                                                                                                                                                                                                              File size:4'396'408 bytes
                                                                                                                                                                                                                              MD5 hash:281F44C8C6F0CFBC293E1FDB8B3EE782
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Yara matches:
                                                                                                                                                                                                                              • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000010.00000002.3380053915.0000000004D40000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                              Reputation:low
                                                                                                                                                                                                                              Has exited:false

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:17
                                                                                                                                                                                                                              Start time:02:36:07
                                                                                                                                                                                                                              Start date:18/04/2024
                                                                                                                                                                                                                              Path:C:\Users\user\Pictures\Yz2gr4IqEnTCH1g642bo4hrO.exe
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:"C:\Users\user\Pictures\Yz2gr4IqEnTCH1g642bo4hrO.exe"
                                                                                                                                                                                                                              Imagebase:0x400000
                                                                                                                                                                                                                              File size:4'396'408 bytes
                                                                                                                                                                                                                              MD5 hash:281F44C8C6F0CFBC293E1FDB8B3EE782
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Yara matches:
                                                                                                                                                                                                                              • Rule: JoeSecurity_Glupteba, Description: Yara detected Glupteba, Source: 00000011.00000002.3312662666.0000000000843000.00000040.00000001.01000000.0000000F.sdmp, Author: Joe Security
                                                                                                                                                                                                                              Reputation:low
                                                                                                                                                                                                                              Has exited:false

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:18
                                                                                                                                                                                                                              Start time:02:36:12
                                                                                                                                                                                                                              Start date:18/04/2024
                                                                                                                                                                                                                              Path:C:\Users\user\Pictures\3wiDjAuNAMEeKc2Sp8AJvkHN.exe
                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                              Commandline:"C:\Users\user\Pictures\3wiDjAuNAMEeKc2Sp8AJvkHN.exe"
                                                                                                                                                                                                                              Imagebase:0x7ff788cc0000
                                                                                                                                                                                                                              File size:5'128'704 bytes
                                                                                                                                                                                                                              MD5 hash:A25CDF843E60F609B970AC9414170A7A
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Reputation:low
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:19
                                                                                                                                                                                                                              Start time:02:36:13
                                                                                                                                                                                                                              Start date:18/04/2024
                                                                                                                                                                                                                              Path:C:\Users\user\Pictures\syLcQZGPHHUJ3M0wbg0XxQZf.exe
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:"C:\Users\user\Pictures\syLcQZGPHHUJ3M0wbg0XxQZf.exe" --silent --allusers=0
                                                                                                                                                                                                                              Imagebase:0x70000
                                                                                                                                                                                                                              File size:5'388'160 bytes
                                                                                                                                                                                                                              MD5 hash:C2F0D0D1B405D1F1476B802BE5DD2ED3
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Reputation:low
                                                                                                                                                                                                                              Has exited:false

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:21
                                                                                                                                                                                                                              Start time:02:36:15
                                                                                                                                                                                                                              Start date:18/04/2024
                                                                                                                                                                                                                              Path:C:\Users\user\Pictures\syLcQZGPHHUJ3M0wbg0XxQZf.exe
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:C:\Users\user\Pictures\syLcQZGPHHUJ3M0wbg0XxQZf.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x298,0x29c,0x2a0,0x274,0x2a4,0x6bf8e1d0,0x6bf8e1dc,0x6bf8e1e8
                                                                                                                                                                                                                              Imagebase:0x70000
                                                                                                                                                                                                                              File size:5'388'160 bytes
                                                                                                                                                                                                                              MD5 hash:C2F0D0D1B405D1F1476B802BE5DD2ED3
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Reputation:low
                                                                                                                                                                                                                              Has exited:false

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:22
                                                                                                                                                                                                                              Start time:02:36:15
                                                                                                                                                                                                                              Start date:18/04/2024
                                                                                                                                                                                                                              Path:C:\Users\user\Pictures\wjaGPzkDQjpdcbjBR9AwSFKW.exe
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:"C:\Users\user\Pictures\wjaGPzkDQjpdcbjBR9AwSFKW.exe"
                                                                                                                                                                                                                              Imagebase:0x400000
                                                                                                                                                                                                                              File size:6'802'728 bytes
                                                                                                                                                                                                                              MD5 hash:5D5DA0738299D8893B79A6C926765E5F
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Reputation:low
                                                                                                                                                                                                                              Has exited:false

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:23
                                                                                                                                                                                                                              Start time:02:36:15
                                                                                                                                                                                                                              Start date:18/04/2024
                                                                                                                                                                                                                              Path:C:\Users\user\Pictures\SU1be6oqYDorLkUc1l6IPPFB.exe
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:"C:\Users\user\Pictures\SU1be6oqYDorLkUc1l6IPPFB.exe"
                                                                                                                                                                                                                              Imagebase:0x400000
                                                                                                                                                                                                                              File size:462'337 bytes
                                                                                                                                                                                                                              MD5 hash:3A4982B7D2352FB3089C01B9F33C25EB
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Yara matches:
                                                                                                                                                                                                                              • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000017.00000002.3372271879.0000000002E60000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                              • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000017.00000002.3387263069.0000000002F7E000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                              Reputation:low
                                                                                                                                                                                                                              Has exited:false

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:24
                                                                                                                                                                                                                              Start time:02:36:17
                                                                                                                                                                                                                              Start date:18/04/2024
                                                                                                                                                                                                                              Path:C:\Users\user\Pictures\Vh2fqCjm9jPtwuJrcfbbwxLj.exe
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:"C:\Users\user\Pictures\Vh2fqCjm9jPtwuJrcfbbwxLj.exe"
                                                                                                                                                                                                                              Imagebase:0x400000
                                                                                                                                                                                                                              File size:4'396'408 bytes
                                                                                                                                                                                                                              MD5 hash:281F44C8C6F0CFBC293E1FDB8B3EE782
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Yara matches:
                                                                                                                                                                                                                              • Rule: JoeSecurity_Glupteba, Description: Yara detected Glupteba, Source: 00000018.00000002.3312827601.0000000000843000.00000040.00000001.01000000.00000015.sdmp, Author: Joe Security
                                                                                                                                                                                                                              Reputation:low
                                                                                                                                                                                                                              Has exited:false

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:25
                                                                                                                                                                                                                              Start time:02:36:17
                                                                                                                                                                                                                              Start date:18/04/2024
                                                                                                                                                                                                                              Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                              Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5me5kJjaX6nSu3LrmZClhT87.bat" "
                                                                                                                                                                                                                              Imagebase:0x7ff6373f0000
                                                                                                                                                                                                                              File size:289'792 bytes
                                                                                                                                                                                                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                              Has elevated privileges:false
                                                                                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:26
                                                                                                                                                                                                                              Start time:02:36:17
                                                                                                                                                                                                                              Start date:18/04/2024
                                                                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                              Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                              Has elevated privileges:false
                                                                                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:27
                                                                                                                                                                                                                              Start time:02:36:18
                                                                                                                                                                                                                              Start date:18/04/2024
                                                                                                                                                                                                                              Path:C:\Users\user\Pictures\PqdYh9kiVSkf3FjC9RDfcS2e.exe
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:"C:\Users\user\Pictures\PqdYh9kiVSkf3FjC9RDfcS2e.exe"
                                                                                                                                                                                                                              Imagebase:0x400000
                                                                                                                                                                                                                              File size:4'396'408 bytes
                                                                                                                                                                                                                              MD5 hash:281F44C8C6F0CFBC293E1FDB8B3EE782
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:false

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:28
                                                                                                                                                                                                                              Start time:02:36:19
                                                                                                                                                                                                                              Start date:18/04/2024
                                                                                                                                                                                                                              Path:C:\Users\user\Pictures\0XytwVHS3WE9jtGuuRid6GiP.exe
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:"C:\Users\user\Pictures\0XytwVHS3WE9jtGuuRid6GiP.exe" --silent --allusers=0
                                                                                                                                                                                                                              Imagebase:0xf70000
                                                                                                                                                                                                                              File size:5'388'160 bytes
                                                                                                                                                                                                                              MD5 hash:CD54757EAFA70E59850F77982FAFCB49
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:false

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:29
                                                                                                                                                                                                                              Start time:02:36:21
                                                                                                                                                                                                                              Start date:18/04/2024
                                                                                                                                                                                                                              Path:C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\T2RIU3FpH6dczIGTG32vuvvE.exe
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:"C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\T2RIU3FpH6dczIGTG32vuvvE.exe" --version
                                                                                                                                                                                                                              Imagebase:0x3f0000
                                                                                                                                                                                                                              File size:5'388'160 bytes
                                                                                                                                                                                                                              MD5 hash:EF199316DF30CB4E02F45F156EC63A9A
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:31
                                                                                                                                                                                                                              Start time:02:36:22
                                                                                                                                                                                                                              Start date:18/04/2024
                                                                                                                                                                                                                              Path:C:\Users\user\Pictures\0XytwVHS3WE9jtGuuRid6GiP.exe
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:C:\Users\user\Pictures\0XytwVHS3WE9jtGuuRid6GiP.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x29c,0x2a0,0x2a4,0x278,0x2a8,0x6b0de1d0,0x6b0de1dc,0x6b0de1e8
                                                                                                                                                                                                                              Imagebase:0xf70000
                                                                                                                                                                                                                              File size:5'388'160 bytes
                                                                                                                                                                                                                              MD5 hash:CD54757EAFA70E59850F77982FAFCB49
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:false

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:33
                                                                                                                                                                                                                              Start time:02:36:23
                                                                                                                                                                                                                              Start date:18/04/2024
                                                                                                                                                                                                                              Path:C:\Users\user\Pictures\mm4Q31XfpYKjbn6ceSwXhER9.exe
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:"C:\Users\user\Pictures\mm4Q31XfpYKjbn6ceSwXhER9.exe"
                                                                                                                                                                                                                              Imagebase:0x400000
                                                                                                                                                                                                                              File size:462'337 bytes
                                                                                                                                                                                                                              MD5 hash:3A4982B7D2352FB3089C01B9F33C25EB
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:false

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:34
                                                                                                                                                                                                                              Start time:02:36:23
                                                                                                                                                                                                                              Start date:18/04/2024
                                                                                                                                                                                                                              Path:C:\Users\user\Pictures\GGlApx2WKpOBsEMsKqplE6Uf.exe
                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                              Commandline:"C:\Users\user\Pictures\GGlApx2WKpOBsEMsKqplE6Uf.exe"
                                                                                                                                                                                                                              Imagebase:0x7ff6a09b0000
                                                                                                                                                                                                                              File size:5'128'704 bytes
                                                                                                                                                                                                                              MD5 hash:A25CDF843E60F609B970AC9414170A7A
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:35
                                                                                                                                                                                                                              Start time:02:36:23
                                                                                                                                                                                                                              Start date:18/04/2024
                                                                                                                                                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                              Commandline:C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
                                                                                                                                                                                                                              Imagebase:0x7ff6eef20000
                                                                                                                                                                                                                              File size:55'320 bytes
                                                                                                                                                                                                                              MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:36
                                                                                                                                                                                                                              Start time:02:36:23
                                                                                                                                                                                                                              Start date:18/04/2024
                                                                                                                                                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                              Commandline:C:\Windows\System32\svchost.exe -k NetSvcs -p -s NcaSvc
                                                                                                                                                                                                                              Imagebase:0x7ff6eef20000
                                                                                                                                                                                                                              File size:55'320 bytes
                                                                                                                                                                                                                              MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:37
                                                                                                                                                                                                                              Start time:02:36:23
                                                                                                                                                                                                                              Start date:18/04/2024
                                                                                                                                                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                              Commandline:C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
                                                                                                                                                                                                                              Imagebase:0x7ff6eef20000
                                                                                                                                                                                                                              File size:55'320 bytes
                                                                                                                                                                                                                              MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:false

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:38
                                                                                                                                                                                                                              Start time:02:36:24
                                                                                                                                                                                                                              Start date:18/04/2024
                                                                                                                                                                                                                              Path:C:\Users\user\AppData\Local\oE07FMGKijbqRxoSOEfcVNr4.exe
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:"C:\Users\user\AppData\Local\oE07FMGKijbqRxoSOEfcVNr4.exe"
                                                                                                                                                                                                                              Imagebase:0x400000
                                                                                                                                                                                                                              File size:4'396'408 bytes
                                                                                                                                                                                                                              MD5 hash:281F44C8C6F0CFBC293E1FDB8B3EE782
                                                                                                                                                                                                                              Has elevated privileges:false
                                                                                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:false

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:39
                                                                                                                                                                                                                              Start time:02:36:29
                                                                                                                                                                                                                              Start date:18/04/2024
                                                                                                                                                                                                                              Path:C:\Users\user\Pictures\1HakjlIwxygCinOPkQfhRxwL.exe
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:"C:\Users\user\Pictures\1HakjlIwxygCinOPkQfhRxwL.exe"
                                                                                                                                                                                                                              Imagebase:0x400000
                                                                                                                                                                                                                              File size:4'396'408 bytes
                                                                                                                                                                                                                              MD5 hash:281F44C8C6F0CFBC293E1FDB8B3EE782
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:false

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:40
                                                                                                                                                                                                                              Start time:02:36:29
                                                                                                                                                                                                                              Start date:18/04/2024
                                                                                                                                                                                                                              Path:C:\Users\user\Pictures\F6G6Y5cEUOHQw9dTwu4nNoIO.exe
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:"C:\Users\user\Pictures\F6G6Y5cEUOHQw9dTwu4nNoIO.exe"
                                                                                                                                                                                                                              Imagebase:0x400000
                                                                                                                                                                                                                              File size:4'396'408 bytes
                                                                                                                                                                                                                              MD5 hash:281F44C8C6F0CFBC293E1FDB8B3EE782
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:false

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:41
                                                                                                                                                                                                                              Start time:02:36:31
                                                                                                                                                                                                                              Start date:18/04/2024
                                                                                                                                                                                                                              Path:C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\0XytwVHS3WE9jtGuuRid6GiP.exe
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:"C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\0XytwVHS3WE9jtGuuRid6GiP.exe" --version
                                                                                                                                                                                                                              Imagebase:0x720000
                                                                                                                                                                                                                              File size:5'388'160 bytes
                                                                                                                                                                                                                              MD5 hash:CD54757EAFA70E59850F77982FAFCB49
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:42
                                                                                                                                                                                                                              Start time:02:36:32
                                                                                                                                                                                                                              Start date:18/04/2024
                                                                                                                                                                                                                              Path:C:\Users\user\Pictures\kuRSiZPmKhbW1guMqYXCvrAu.exe
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:"C:\Users\user\Pictures\kuRSiZPmKhbW1guMqYXCvrAu.exe" --silent --allusers=0
                                                                                                                                                                                                                              Imagebase:0xf60000
                                                                                                                                                                                                                              File size:5'388'160 bytes
                                                                                                                                                                                                                              MD5 hash:B1D3A17EDD5DACC6B98BEC740C1B4A2F
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:false

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:43
                                                                                                                                                                                                                              Start time:02:36:34
                                                                                                                                                                                                                              Start date:18/04/2024
                                                                                                                                                                                                                              Path:C:\Users\user\AppData\Local\Temp\7zS2746.tmp\Install.exe
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:.\Install.exe /sQwdidHh "385118" /S
                                                                                                                                                                                                                              Imagebase:0xd10000
                                                                                                                                                                                                                              File size:7'157'248 bytes
                                                                                                                                                                                                                              MD5 hash:E77964E011D8880EAE95422769249CA4
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:false

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:44
                                                                                                                                                                                                                              Start time:02:36:34
                                                                                                                                                                                                                              Start date:18/04/2024
                                                                                                                                                                                                                              Path:C:\Users\user\Pictures\kBnX25PRDA3FRCf96qRj6qpV.exe
                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                              Commandline:"C:\Users\user\Pictures\kBnX25PRDA3FRCf96qRj6qpV.exe"
                                                                                                                                                                                                                              Imagebase:0x7ff7eb540000
                                                                                                                                                                                                                              File size:5'128'704 bytes
                                                                                                                                                                                                                              MD5 hash:A25CDF843E60F609B970AC9414170A7A
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              Disassembly

                                                                                                                                                                                                                              Reset < >

                                                                                                                                                                                                                                Execution Graph

                                                                                                                                                                                                                                Execution Coverage:11.7%
                                                                                                                                                                                                                                Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                                                                                Signature Coverage:0%
                                                                                                                                                                                                                                Total number of Nodes:3
                                                                                                                                                                                                                                Total number of Limit Nodes:0
                                                                                                                                                                                                                                execution_graph 14161 7ffd9b884442 14162 7ffd9b884451 VirtualProtect 14161->14162 14164 7ffd9b88453e 14162->14164

                                                                                                                                                                                                                                Executed Functions

                                                                                                                                                                                                                                Function 00007FFD9B889B70 Relevance: 2.2, Strings: 1, Instructions: 936COMMON
                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                control_flow_graph 0 7ffd9b889b70-7ffd9b88e1c5 2 7ffd9b88e1c7-7ffd9b88e20e 0->2 3 7ffd9b88e20f-7ffd9b88e239 0->3 2->3 6 7ffd9b88e23b-7ffd9b88e250 3->6 7 7ffd9b88e252 3->7 8 7ffd9b88e254-7ffd9b88e259 6->8 7->8 9 7ffd9b88e356-7ffd9b88e376 8->9 10 7ffd9b88e25f-7ffd9b88e26e 8->10 13 7ffd9b88e3c7-7ffd9b88e3d2 9->13 15 7ffd9b88e278-7ffd9b88e279 10->15 16 7ffd9b88e270-7ffd9b88e276 10->16 17 7ffd9b88e378-7ffd9b88e37e 13->17 18 7ffd9b88e3d4-7ffd9b88e3e3 13->18 21 7ffd9b88e27b-7ffd9b88e29e 15->21 16->21 19 7ffd9b88e841-7ffd9b88e859 17->19 20 7ffd9b88e384-7ffd9b88e3a5 call 7ffd9b889b50 17->20 27 7ffd9b88e3e5-7ffd9b88e3f7 18->27 28 7ffd9b88e3f9 18->28 32 7ffd9b88e85b-7ffd9b88e896 call 7ffd9b88a460 19->32 33 7ffd9b88e8a3-7ffd9b88e8aa 19->33 35 7ffd9b88e3aa-7ffd9b88e3c4 20->35 26 7ffd9b88e2f3-7ffd9b88e2fe 21->26 29 7ffd9b88e2a0-7ffd9b88e2a6 26->29 30 7ffd9b88e300-7ffd9b88e317 26->30 34 7ffd9b88e3fb-7ffd9b88e400 27->34 28->34 29->19 36 7ffd9b88e2ac-7ffd9b88e2f0 call 7ffd9b889b50 29->36 48 7ffd9b88e346-7ffd9b88e351 call 7ffd9b88a0f0 30->48 49 7ffd9b88e319-7ffd9b88e33f call 7ffd9b889b50 30->49 83 7ffd9b88e898-7ffd9b88e8a1 32->83 84 7ffd9b88e8e0-7ffd9b88e8eb 32->84 39 7ffd9b88e8b0-7ffd9b88e8b8 call 7ffd9b885658 33->39 37 7ffd9b88e406-7ffd9b88e428 call 7ffd9b889b50 34->37 38 7ffd9b88e48c-7ffd9b88e4a0 34->38 35->13 36->26 68 7ffd9b88e456-7ffd9b88e457 37->68 69 7ffd9b88e42a-7ffd9b88e454 37->69 42 7ffd9b88e4f0-7ffd9b88e4ff 38->42 43 7ffd9b88e4a2-7ffd9b88e4a8 38->43 55 7ffd9b88e8bd-7ffd9b88e8d1 39->55 63 7ffd9b88e50c 42->63 64 7ffd9b88e501-7ffd9b88e50a 42->64 44 7ffd9b88e4c7-7ffd9b88e4df 43->44 45 7ffd9b88e4aa-7ffd9b88e4c5 43->45 61 7ffd9b88e4e8-7ffd9b88e4eb 44->61 45->44 48->38 49->48 76 7ffd9b88e8dc-7ffd9b88e8df 55->76 77 7ffd9b88e8d3-7ffd9b88e8db 55->77 71 7ffd9b88e698-7ffd9b88e6ad 61->71 73 7ffd9b88e50e-7ffd9b88e513 63->73 64->73 80 7ffd9b88e459-7ffd9b88e460 68->80 69->80 86 7ffd9b88e6ed 71->86 87 7ffd9b88e6af-7ffd9b88e6eb 71->87 81 7ffd9b88e519-7ffd9b88e51c 73->81 82 7ffd9b88e81f-7ffd9b88e820 73->82 76->84 77->76 80->38 90 7ffd9b88e462-7ffd9b88e487 call 7ffd9b889b78 80->90 92 7ffd9b88e51e-7ffd9b88e53b call 7ffd9b880188 81->92 93 7ffd9b88e564 81->93 91 7ffd9b88e823-7ffd9b88e832 82->91 83->33 88 7ffd9b88e8f6-7ffd9b88e907 84->88 89 7ffd9b88e8ed-7ffd9b88e8f5 84->89 100 7ffd9b88e6ef-7ffd9b88e6f4 86->100 87->100 96 7ffd9b88e909-7ffd9b88e911 88->96 97 7ffd9b88e912-7ffd9b88e919 88->97 89->88 115 7ffd9b88e80e-7ffd9b88e81e 90->115 117 7ffd9b88e833-7ffd9b88e83a 91->117 92->93 129 7ffd9b88e53d-7ffd9b88e562 92->129 95 7ffd9b88e566-7ffd9b88e56b 93->95 104 7ffd9b88e66c-7ffd9b88e68f 95->104 105 7ffd9b88e571-7ffd9b88e57d 95->105 96->97 97->39 106 7ffd9b88e91b-7ffd9b88e95f call 7ffd9b88c350 97->106 108 7ffd9b88e6f6-7ffd9b88e74d call 7ffd9b885590 100->108 109 7ffd9b88e764-7ffd9b88e773 100->109 119 7ffd9b88e695-7ffd9b88e696 104->119 105->19 113 7ffd9b88e583-7ffd9b88e592 105->113 144 7ffd9b88e971 106->144 145 7ffd9b88e961-7ffd9b88e96f 106->145 159 7ffd9b88e7be-7ffd9b88e7c3 108->159 160 7ffd9b88e74f-7ffd9b88e753 108->160 111 7ffd9b88e774-7ffd9b88e778 109->111 120 7ffd9b88e7c7-7ffd9b88e7d3 call 7ffd9b888650 111->120 121 7ffd9b88e77a-7ffd9b88e7a5 call 7ffd9b885590 111->121 123 7ffd9b88e5a5-7ffd9b88e5b2 call 7ffd9b880188 113->123 124 7ffd9b88e594-7ffd9b88e5a3 113->124 117->19 119->71 133 7ffd9b88e7d4 120->133 148 7ffd9b88e7aa-7ffd9b88e7b2 121->148 136 7ffd9b88e5b8-7ffd9b88e5be 123->136 124->136 129->95 133->111 140 7ffd9b88e7d8-7ffd9b88e7ec 133->140 142 7ffd9b88e5c0-7ffd9b88e5ed 136->142 143 7ffd9b88e5f3-7ffd9b88e5f8 136->143 140->19 147 7ffd9b88e7ee-7ffd9b88e7fe 140->147 142->143 143->19 154 7ffd9b88e5fe-7ffd9b88e61e 143->154 151 7ffd9b88e973-7ffd9b88e978 144->151 145->151 155 7ffd9b88e800-7ffd9b88e80b 147->155 148->91 149 7ffd9b88e7b4-7ffd9b88e7b7 148->149 149->117 156 7ffd9b88e7b9 149->156 157 7ffd9b88e97a-7ffd9b88e98d call 7ffd9b883d78 151->157 158 7ffd9b88e98f-7ffd9b88e995 151->158 168 7ffd9b88e620-7ffd9b88e62e 154->168 169 7ffd9b88e632-7ffd9b88e65b 154->169 155->115 156->155 162 7ffd9b88e7bb 156->162 165 7ffd9b88e99c-7ffd9b88e9a3 157->165 158->165 166 7ffd9b88e997 call 7ffd9b8855a8 158->166 159->120 160->133 167 7ffd9b88e755-7ffd9b88e75e 160->167 162->159 166->165 167->109 172 7ffd9b88e65c-7ffd9b88e662 call 7ffd9b88a1d0 168->172 173 7ffd9b88e630-7ffd9b88e631 168->173 169->172 176 7ffd9b88e667-7ffd9b88e66a 172->176 173->169 176->71
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000000.00000002.2775008525.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ffd9b880000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID: Y_L;
                                                                                                                                                                                                                                • API String ID: 0-493232020
                                                                                                                                                                                                                                • Opcode ID: 51af3926d4304d0e222676d4336099444fc7f8f1816366476b40051dc56cc9c8
                                                                                                                                                                                                                                • Instruction ID: 7e5766a78c30d018719a5224409cf87f8acd5124bdca0cddda1b8b4d2dcf572a
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 51af3926d4304d0e222676d4336099444fc7f8f1816366476b40051dc56cc9c8
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 3352F730B09A0D8FDB68DB68D865A7977E1FF58301B1501BEE05EC76A2DE34ED428781
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 00007FFD9B889B78 Relevance: 1.7, Instructions: 1650COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000000.00000002.2775008525.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ffd9b880000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 9e84a36683340bb9494d712caba08cf7457f9e0513d6318203930127ef65e0e5
                                                                                                                                                                                                                                • Instruction ID: acb02db1ba7f71f8acc5a15b09f8b5ac5ea0183273f87f684e2e0ff3e8276c79
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 9e84a36683340bb9494d712caba08cf7457f9e0513d6318203930127ef65e0e5
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E8B2C671B19A4D8FDBACDF98D465A787BE1FF59300F1500BAD04EC72A2DE24AD428B41
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 00007FFD9B885660 Relevance: 1.6, Instructions: 1621COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000000.00000002.2775008525.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ffd9b880000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 004702f22199f341bbc4769ac5142bf576734e43ee8826a654e6ea2f077da280
                                                                                                                                                                                                                                • Instruction ID: 0d3ceedc5f94d3432cd7985e1690d5ae61a00a760dd96bbce24fc3d19ba4cbb6
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 004702f22199f341bbc4769ac5142bf576734e43ee8826a654e6ea2f077da280
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 65B28830A0EA4A8FEB69CB54C4616B47FD1EF99310F1541BDD48ECB5E3DE28A946C780
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 00007FFD9B891595 Relevance: 1.4, Instructions: 1370COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000000.00000002.2775008525.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ffd9b880000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 4c2477126baa8f7b7e61a7f07a52ec875da7dce696702540e4a480598ca6e5cd
                                                                                                                                                                                                                                • Instruction ID: a75800dce56d6359d4a5bc724480f0ba33940ea8ffc113a140607259b754180b
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 4c2477126baa8f7b7e61a7f07a52ec875da7dce696702540e4a480598ca6e5cd
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 9572793170DB4A4FE768EB68C4615B57BE1FF99300B0145BED48AC72A2DE38E946C781
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 00007FFD9B88CDE9 Relevance: .5, Instructions: 522COMMON
                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                control_flow_graph 2160 7ffd9b88cde9-7ffd9b88ce09 2162 7ffd9b88ce0b-7ffd9b88ce34 2160->2162 2163 7ffd9b88ce53-7ffd9b88ce6a call 7ffd9b888650 call 7ffd9b888db0 2160->2163 2164 7ffd9b88cefa 2162->2164 2165 7ffd9b88ce3a-7ffd9b88ce51 2162->2165 2163->2164 2176 7ffd9b88ce70-7ffd9b88ce7e 2163->2176 2169 7ffd9b88cefe-7ffd9b88cf0b 2164->2169 2165->2163 2170 7ffd9b88cf4d-7ffd9b88cf59 2169->2170 2171 7ffd9b88cf0d-7ffd9b88cf1d 2169->2171 2174 7ffd9b88d18c-7ffd9b88d19f 2170->2174 2175 7ffd9b88cf5f-7ffd9b88cf75 2170->2175 2173 7ffd9b88cf1f-7ffd9b88cf2c 2171->2173 2179 7ffd9b88cf76-7ffd9b88cfb3 call 7ffd9b88c350 * 2 call 7ffd9b888650 2173->2179 2180 7ffd9b88cf2e-7ffd9b88cf35 2173->2180 2188 7ffd9b88d1e1-7ffd9b88d1ec 2174->2188 2189 7ffd9b88d1a1-7ffd9b88d1cb 2174->2189 2175->2179 2177 7ffd9b88ceef-7ffd9b88cef9 2176->2177 2178 7ffd9b88ce80-7ffd9b88ce82 2176->2178 2178->2169 2181 7ffd9b88ce84 2178->2181 2179->2174 2210 7ffd9b88cfb9-7ffd9b88cfd4 2179->2210 2182 7ffd9b88cf36-7ffd9b88cf4c 2180->2182 2185 7ffd9b88ce86-7ffd9b88ce8f 2181->2185 2186 7ffd9b88ceca-7ffd9b88ced8 2181->2186 2182->2170 2190 7ffd9b88cee8-7ffd9b88ceee 2185->2190 2191 7ffd9b88ce91-7ffd9b88ceae 2185->2191 2186->2164 2195 7ffd9b88ceda-7ffd9b88cee6 2186->2195 2192 7ffd9b88d1fd-7ffd9b88d21c 2188->2192 2193 7ffd9b88d1ee-7ffd9b88d1fa 2188->2193 2201 7ffd9b88d1d9-7ffd9b88d1df 2189->2201 2202 7ffd9b88d1cd-7ffd9b88d1d6 2189->2202 2190->2177 2191->2173 2203 7ffd9b88ceb0-7ffd9b88ceb5 2191->2203 2198 7ffd9b88d22d-7ffd9b88d246 2192->2198 2199 7ffd9b88d21e-7ffd9b88d22a 2192->2199 2193->2192 2195->2190 2204 7ffd9b88d256-7ffd9b88d26b 2198->2204 2205 7ffd9b88d248-7ffd9b88d253 2198->2205 2199->2198 2201->2188 2202->2201 2203->2182 2207 7ffd9b88ceb7-7ffd9b88cec9 call 7ffd9b8889f0 2203->2207 2205->2204 2207->2186 2212 7ffd9b88cfd6-7ffd9b88cfd9 2210->2212 2213 7ffd9b88d02d-7ffd9b88d037 2210->2213 2215 7ffd9b88d05a-7ffd9b88d06a 2212->2215 2216 7ffd9b88cfdb-7ffd9b88cffb 2212->2216 2214 7ffd9b88d0af-7ffd9b88d0b7 2213->2214 2219 7ffd9b88d128-7ffd9b88d13b 2214->2219 2220 7ffd9b88d0b9-7ffd9b88d0be 2214->2220 2224 7ffd9b88d0d9-7ffd9b88d104 2215->2224 2225 7ffd9b88d06c-7ffd9b88d094 2215->2225 2221 7ffd9b88d039-7ffd9b88d058 2216->2221 2222 7ffd9b88cffd-7ffd9b88d02c 2216->2222 2223 7ffd9b88d13f-7ffd9b88d14b call 7ffd9b885448 2219->2223 2220->2223 2226 7ffd9b88d0c0-7ffd9b88d0d6 call 7ffd9b8889f0 2220->2226 2221->2215 2236 7ffd9b88d096-7ffd9b88d0ab 2221->2236 2222->2213 2235 7ffd9b88d150-7ffd9b88d160 2223->2235 2224->2174 2228 7ffd9b88d10a-7ffd9b88d127 2224->2228 2225->2214 2226->2224 2228->2219 2235->2174 2237 7ffd9b88d162-7ffd9b88d18b 2235->2237 2236->2214
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000000.00000002.2775008525.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ffd9b880000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: ea4ed0b1fd85c3fb95d316c7aa0a096dfc8c3a48bcca552cc49a6cc1a99f29d1
                                                                                                                                                                                                                                • Instruction ID: 56f7bea3cd8a5421cc146b6a0815b29868b3e328d360f94e5c49ff3759dd9e79
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ea4ed0b1fd85c3fb95d316c7aa0a096dfc8c3a48bcca552cc49a6cc1a99f29d1
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: CEF1AC3160DF8A4FE329CB2884A5575B7D2FF99301B1446BED4DAC72B5DE38A942C780
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 00007FFD9B88586D Relevance: .3, Instructions: 271COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000000.00000002.2775008525.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ffd9b880000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 416ae4ee69a5c30026191844f49b8052b44c6a45f4069de5f8f73f733126b504
                                                                                                                                                                                                                                • Instruction ID: 42b8f96729046a75c3fc2b1d2472c631ec80606ccbf6c94fcff8158fbb3c7d3b
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 416ae4ee69a5c30026191844f49b8052b44c6a45f4069de5f8f73f733126b504
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6771B73171CE0E4FD76CEB6898654B9B3E1FF99310B41063EE59BC3296DE34E9428681
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 00007FFD9B895E1C Relevance: .2, Instructions: 168COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000000.00000002.2775008525.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ffd9b880000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: acbbeb4e4a92edefe8d79b115dbcae39e638d85722decc8489429b667cf28284
                                                                                                                                                                                                                                • Instruction ID: b387a50101094e4f2dc83475674aa93c240997043e96edcbf380d047ddf8c9c6
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: acbbeb4e4a92edefe8d79b115dbcae39e638d85722decc8489429b667cf28284
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2B41583160E78D0FD71E9A3888620B53FA1EB47220B1682BFD4C7CB5A7DC25690783D1
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 00007FFD9B895E69 Relevance: .2, Instructions: 157COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000000.00000002.2775008525.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ffd9b880000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 9da5dd53c2ac88c59700be25c03e648a39f95f2aef2c25fb5e5107d07970e417
                                                                                                                                                                                                                                • Instruction ID: 40a807a139e3a31cef4eae6668ee685909333b7d96cc5df733cdc73d52235515
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 9da5dd53c2ac88c59700be25c03e648a39f95f2aef2c25fb5e5107d07970e417
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C3412821A0E78D0FD71E9B7888654A53FA6EB87210B1682BBD4C7CB1E7DC2459078391
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 00007FFD9B884442 Relevance: 1.6, APIs: 1, Instructions: 147memoryCOMMON
                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                control_flow_graph 560 7ffd9b884442-7ffd9b88444f 561 7ffd9b884451-7ffd9b884459 560->561 562 7ffd9b88445a-7ffd9b88446b 560->562 561->562 563 7ffd9b88446d-7ffd9b884475 562->563 564 7ffd9b884476-7ffd9b88453c VirtualProtect 562->564 563->564 569 7ffd9b884544-7ffd9b884575 564->569 570 7ffd9b88453e 564->570 570->569
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000000.00000002.2775008525.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ffd9b880000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ProtectVirtual
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 544645111-0
                                                                                                                                                                                                                                • Opcode ID: 1f378b9627467f9b17ae45bc619183ca2f5de55e8954f335c2be5375a44f76a7
                                                                                                                                                                                                                                • Instruction ID: e3d5caa5a2b633daed3a8a8f3365b2b35efec37797c65b03ff98260acfe1b708
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 1f378b9627467f9b17ae45bc619183ca2f5de55e8954f335c2be5375a44f76a7
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6441273190DB894FDB1D9BA898166F97BE0EF56321F0443AFD099C3192DA786806C792
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 00007FFD9B960E29 Relevance: .9, Instructions: 935COMMON
                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                control_flow_graph 1768 7ffd9b960e29-7ffd9b960e9c 1773 7ffd9b960e9e-7ffd9b960ecf 1768->1773 1774 7ffd9b960ee6-7ffd9b960ee8 1768->1774 1776 7ffd9b961027-7ffd9b961036 1773->1776 1777 7ffd9b960ed5-7ffd9b960ee5 1773->1777 1775 7ffd9b960ee9-7ffd9b960efb 1774->1775 1774->1776 1778 7ffd9b960efc-7ffd9b960f1a 1775->1778 1781 7ffd9b961038-7ffd9b961039 1776->1781 1777->1774 1778->1776 1782 7ffd9b960f20-7ffd9b960f33 1778->1782 1783 7ffd9b96103c-7ffd9b96105a 1781->1783 1784 7ffd9b96103b 1781->1784 1788 7ffd9b960fa4-7ffd9b960fb3 1782->1788 1789 7ffd9b960f35-7ffd9b960f36 1782->1789 1785 7ffd9b96105b-7ffd9b961069 1783->1785 1784->1783 1791 7ffd9b96106b-7ffd9b961097 1785->1791 1790 7ffd9b960fb4-7ffd9b960fb6 1788->1790 1789->1778 1792 7ffd9b960f38 1789->1792 1790->1776 1793 7ffd9b960fb8-7ffd9b960fea 1790->1793 1796 7ffd9b961099-7ffd9b9610b0 1791->1796 1797 7ffd9b9610cc-7ffd9b9610e4 1791->1797 1792->1790 1795 7ffd9b960f3a 1792->1795 1793->1785 1811 7ffd9b960fec-7ffd9b960fef 1793->1811 1798 7ffd9b960f81 1795->1798 1799 7ffd9b960f3c 1795->1799 1802 7ffd9b9610b2-7ffd9b9610ca 1796->1802 1803 7ffd9b961121-7ffd9b961157 1796->1803 1797->1803 1798->1776 1800 7ffd9b960f87-7ffd9b960fa2 1798->1800 1804 7ffd9b960f40-7ffd9b960f45 1799->1804 1800->1788 1802->1797 1816 7ffd9b961159-7ffd9b961170 1803->1816 1817 7ffd9b96118c-7ffd9b9611a4 1803->1817 1804->1804 1810 7ffd9b960f47-7ffd9b960f65 1804->1810 1810->1776 1818 7ffd9b960f6b-7ffd9b960f7e 1810->1818 1811->1791 1815 7ffd9b960ff1 1811->1815 1815->1781 1820 7ffd9b960ff3-7ffd9b961026 1815->1820 1821 7ffd9b961172-7ffd9b96118a 1816->1821 1822 7ffd9b9611e1-7ffd9b961230 1816->1822 1818->1798 1821->1817 1830 7ffd9b961232-7ffd9b961264 1822->1830 1831 7ffd9b9612a1-7ffd9b9612e9 1822->1831 1837 7ffd9b9612fd-7ffd9b9612fe 1831->1837 1838 7ffd9b9612eb-7ffd9b9612fb 1831->1838 1839 7ffd9b961301-7ffd9b961318 1837->1839 1838->1839 1843 7ffd9b96131a-7ffd9b96131c 1839->1843 1844 7ffd9b96134b-7ffd9b9613c9 1839->1844 1843->1844 1845 7ffd9b96131e-7ffd9b961344 1843->1845 1853 7ffd9b961413-7ffd9b96142f 1844->1853 1854 7ffd9b9613cb-7ffd9b9613f9 1844->1854 1845->1844 1855 7ffd9b961431-7ffd9b961444 1853->1855 1856 7ffd9b9613ff-7ffd9b961412 1854->1856 1857 7ffd9b9614a5-7ffd9b9614b5 1854->1857 1855->1857 1859 7ffd9b961446-7ffd9b961460 1855->1859 1856->1857 1858 7ffd9b961418-7ffd9b96142f 1856->1858 1862 7ffd9b9614b8-7ffd9b961517 1857->1862 1863 7ffd9b9614b7 1857->1863 1858->1855 1868 7ffd9b961462 1859->1868 1869 7ffd9b961519-7ffd9b961530 1862->1869 1870 7ffd9b96154c-7ffd9b961564 1862->1870 1863->1862 1868->1868 1871 7ffd9b961532-7ffd9b96154a 1869->1871 1872 7ffd9b9615a1-7ffd9b9615d8 1869->1872 1871->1870 1878 7ffd9b96160d-7ffd9b961618 1872->1878 1879 7ffd9b9615da-7ffd9b9615ea 1872->1879 1883 7ffd9b96161a-7ffd9b96162b 1878->1883 1884 7ffd9b96162c-7ffd9b961634 1878->1884 1881 7ffd9b9615ec-7ffd9b9615ee 1879->1881 1882 7ffd9b96165b-7ffd9b961667 1879->1882 1885 7ffd9b96166a-7ffd9b961713 1881->1885 1886 7ffd9b9615f0 1881->1886 1882->1885 1883->1884 1888 7ffd9b961636-7ffd9b961639 1884->1888 1900 7ffd9b961715-7ffd9b961726 1885->1900 1901 7ffd9b961727-7ffd9b961731 1885->1901 1886->1888 1890 7ffd9b9615f2-7ffd9b96160c 1886->1890 1890->1878 1900->1901
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000000.00000002.2776181309.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ffd9b960000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 448f1b3d937953d274e284ad6e457e2ba05f70b3b32941ea5f6e2d4c51b3919e
                                                                                                                                                                                                                                • Instruction ID: 7bb564037bb43404c1ae1388bfcd3bcc76b082b9d7e72f9c15e6bf7f30f5a691
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 448f1b3d937953d274e284ad6e457e2ba05f70b3b32941ea5f6e2d4c51b3919e
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B5523A31A1F7D99FEB66DB6888655A87FE0EF56304B0A01FFD089CB1E3D9146906C381
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 00007FFD9B961269 Relevance: .2, Instructions: 230COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000000.00000002.2776181309.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ffd9b960000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: c59dc2308249fee55e89f166bd8b8c2542f2000263718182c6db050450b43f78
                                                                                                                                                                                                                                • Instruction ID: 2d59845c850719893b766d325f23562afa437a526e4dceb76c99b8c7722c8888
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: c59dc2308249fee55e89f166bd8b8c2542f2000263718182c6db050450b43f78
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: CF612A3061EADD8FDB5ADB6488755A87BF1EF56304B0A01EBC08AC71E7DA18A906C341
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 00007FFD9B96026B Relevance: .2, Instructions: 178COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000000.00000002.2776181309.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ffd9b960000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: fb3b9cfebf928dfd3632ba2f52c928f27d287e088ae6f841b4d8d96acab5cb4c
                                                                                                                                                                                                                                • Instruction ID: 1110a394510d7119ce19632ef2103d4fff1183c6e88e559940fca020f6640155
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: fb3b9cfebf928dfd3632ba2f52c928f27d287e088ae6f841b4d8d96acab5cb4c
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5051383191EA4ECFDB66DB58C8E1AE877E0FF65304F1506B9D04DCB09ACA35A946C740
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 00007FFD9B9613B0 Relevance: .1, Instructions: 81COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000000.00000002.2776181309.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ffd9b960000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: f197512fae35459aa86279bc7dc27b77b2ef77cc50f103a2a3dbddeb6093171f
                                                                                                                                                                                                                                • Instruction ID: 9a701eb7cb3b1c9869cb50d23ed577a2bfa084c82e9ef748ec84f4741c531dd2
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f197512fae35459aa86279bc7dc27b77b2ef77cc50f103a2a3dbddeb6093171f
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: CA21033561990D8FDF68DF18C8A54B977E1FFA8308B16066AD00BC71A9DE35B941C780
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Non-executed Functions

                                                                                                                                                                                                                                Function 00007FFD9B88AF5D Relevance: .4, Instructions: 350COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000000.00000002.2775008525.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ffd9b880000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 208b392ca9ba8ecd8637820162e3904e862e9dc31922c8edf2bc4cbac6dd45a2
                                                                                                                                                                                                                                • Instruction ID: c1ab88710d5f2a24d7e5b4d62a8f51744c23510438bc416104ad3086d0f65ab2
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 208b392ca9ba8ecd8637820162e3904e862e9dc31922c8edf2bc4cbac6dd45a2
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5891B72164FBCA0FD7278B7488615A07FA0EF5721071A42FBC4E5CB4F3D929A94AC751
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Executed Functions

                                                                                                                                                                                                                                Function 01662648 Relevance: .5, Instructions: 501COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000003.00000002.3386624763.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_1660000_CasPol.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 525e3f63a09ee3bbac525d6b26f9eddffbc4bbf0705705312dda64a7bf19e721
                                                                                                                                                                                                                                • Instruction ID: 45adb6bd19e220e8cb4ab0a31e90da0db9e1954b35f2e51732701f70b135ebef
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 525e3f63a09ee3bbac525d6b26f9eddffbc4bbf0705705312dda64a7bf19e721
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E2F082356083965FC302577C9C10A2A3FBBEBCB65470941EAD449C7392CDA96C1693E3
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 016607DD Relevance: .1, Instructions: 118COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000003.00000002.3386624763.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_1660000_CasPol.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: dd65d3d856eaf08c4108e0c72125bc4dce96254002e25f8a3d9a6192539639d3
                                                                                                                                                                                                                                • Instruction ID: b56c61efd6b7b65ca557fd715758211b0bde91c408cdd327be297f9bc26669e5
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: dd65d3d856eaf08c4108e0c72125bc4dce96254002e25f8a3d9a6192539639d3
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 843191616193958FCB02DB388C143AD3F6AEB86210F2605BDD181DB2B7C7189D05C7D1
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 01661648 Relevance: .1, Instructions: 118COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000003.00000002.3386624763.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_1660000_CasPol.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: cd8d9313c9c4b5dbb252bd1deb249e96302462fe60578f8564c284c64da71b18
                                                                                                                                                                                                                                • Instruction ID: 31498fd47a6f787f40f9edf1b66a41ef43b8781b8f24834137ee3c80ab21097b
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: cd8d9313c9c4b5dbb252bd1deb249e96302462fe60578f8564c284c64da71b18
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: AB416D34A002058FDB15DF78D9846ADBFF6BF89300F188169D41AAB355DB35ED42CB91
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 01661658 Relevance: .1, Instructions: 112COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000003.00000002.3386624763.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_1660000_CasPol.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 5ca20f2aae67108737250970a80bf198437660b53dab0df02a7dcc71b75018cf
                                                                                                                                                                                                                                • Instruction ID: ef03d02e5d2b7634840557afebb18a3b90b6872af96a2eba815983f3da78580a
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5ca20f2aae67108737250970a80bf198437660b53dab0df02a7dcc71b75018cf
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 9D417E34B002098FCB14EB78D584AAEBBF6FF89310F148169D41AAB355DB75EC42CB91
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 016609DC Relevance: .1, Instructions: 98COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000003.00000002.3386624763.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_1660000_CasPol.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 89451ba19795ba1b0b59078736e8ed07f7cc76b9e129c9e173a2b683be037daf
                                                                                                                                                                                                                                • Instruction ID: ad4dbda78d048bbde0ea5edab46f3c8759cdb586df66771d4adeaac6433e9bcc
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 89451ba19795ba1b0b59078736e8ed07f7cc76b9e129c9e173a2b683be037daf
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6831F674B44216CFDB16EB648C5473E369BAB94254F14067CE5029B3AACF288D0287D5
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 01662518 Relevance: .1, Instructions: 93COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000003.00000002.3386624763.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_1660000_CasPol.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: dedb41b1df61399da0d35d0bbd0ac5ad28db09103eec1d85fad6fa36e453f379
                                                                                                                                                                                                                                • Instruction ID: cc3e6d016d14b7459c6d9e1a4d04bbc4017d1cdbb730cbe7318b7e2803fb7e69
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: dedb41b1df61399da0d35d0bbd0ac5ad28db09103eec1d85fad6fa36e453f379
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 833139316087505FC3268B3DDC20862BFF9EF8B72070541AEE44AC73A2DA64AC02C792
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 01660808 Relevance: .1, Instructions: 74COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000003.00000002.3386624763.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_1660000_CasPol.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: bb40ee915300c57bbeafd9b864bd25e68a5daa5f59ed23d853de23ad12db1f9a
                                                                                                                                                                                                                                • Instruction ID: d475acc4731e54f1478a88c4078b6b253d71f949b34979440734df7ab9d57f24
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: bb40ee915300c57bbeafd9b864bd25e68a5daa5f59ed23d853de23ad12db1f9a
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 9321F9206052549FDB05EB38CC646AD3FBAAB86304F16017DE041EB3A6CA289D05C7D5
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 016608DD Relevance: .1, Instructions: 66COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000003.00000002.3386624763.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_1660000_CasPol.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: cf429cc9a358ed8d58f4520443cff5f3d4b6391498fa85cd518aa48d26c31f77
                                                                                                                                                                                                                                • Instruction ID: 602f92a266478cc9bcf2e72548ed68e53b8303bc902b657209dea2fb4d553379
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: cf429cc9a358ed8d58f4520443cff5f3d4b6391498fa85cd518aa48d26c31f77
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1E214D30B50116CBDB19EB69C854B3E36ABBB84745F11457CE106AB3A4CF789D028BD6
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 016608E6 Relevance: .1, Instructions: 65COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000003.00000002.3386624763.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_1660000_CasPol.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: f7f295e97c6e27e188f4ce6502b1c14f304222ef17533cc0a3ffd3690eb4d1ff
                                                                                                                                                                                                                                • Instruction ID: b83062276f0fff89c8f7dc7782ecd1eba8b73d7ad3b7b7686cf5c7377415ab61
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f7f295e97c6e27e188f4ce6502b1c14f304222ef17533cc0a3ffd3690eb4d1ff
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4B115E30B50115CBDB19EB79C854A3E36A7AB94745F11457CE102AB3A4CF689D028BD6
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 016608F9 Relevance: .1, Instructions: 62COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000003.00000002.3386624763.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_1660000_CasPol.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 90e8c49559e0c0b0224a404dc45282e11eff06a498ea160a4ccba7df2f16ff45
                                                                                                                                                                                                                                • Instruction ID: 593087fc436fea1ead7ad35c00b6f3b929df85377166f107a86d2743ae8ed8e0
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 90e8c49559e0c0b0224a404dc45282e11eff06a498ea160a4ccba7df2f16ff45
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6F118130B50115CBCB15EB798854A3E26A7ABD4704F11457CE102EB3A4CF789D028BD6
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 01661C90 Relevance: .1, Instructions: 62COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000003.00000002.3386624763.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_1660000_CasPol.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: d92045fff4ea01d8865916b6f0ff297315975dba4002b7584db1d9874ac21797
                                                                                                                                                                                                                                • Instruction ID: 34a0333bf3c4cd419ef4ba44aa7161bb23bcd1df5fb720779d988a302ad4d027
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d92045fff4ea01d8865916b6f0ff297315975dba4002b7584db1d9874ac21797
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D6110431704385AFC702AF3A9CA595B7BAAFFD225035441BED415CF351EE689C06CB91
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 0166154B Relevance: .0, Instructions: 50COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000003.00000002.3386624763.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_1660000_CasPol.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 1f052dd8c3cf8f0adf4c51450f3a39e08c724591e12a25bb9918ef612722b7ad
                                                                                                                                                                                                                                • Instruction ID: 1765f0bbc9d707569330a18e2881dcce16f6afcf615e80e75eeebd984df3c1b9
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 1f052dd8c3cf8f0adf4c51450f3a39e08c724591e12a25bb9918ef612722b7ad
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D10149B2A602051B87057B6C58940BFFA8EFAD2360318493AD11BDB32CDE11DD0A47C5
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 01660848 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000003.00000002.3386624763.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_1660000_CasPol.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 5e76973707961187dc6943e31d15e6c21a8c43c6671527aa709c4391e5546749
                                                                                                                                                                                                                                • Instruction ID: c7e76d9562205ca55b33215fe7f046232b61cd16f5ebfa871d76a5606768f610
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5e76973707961187dc6943e31d15e6c21a8c43c6671527aa709c4391e5546749
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 88015E30B10115DBDF54EB68C858BAE76A6AB89301F21053CE402AB3D5CF789C018BD1
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 01661CC0 Relevance: .0, Instructions: 43COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000003.00000002.3386624763.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_1660000_CasPol.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: e9cf3489e6d468290f3cf0d8e99a7c18e26fb1c2639b311f24af8a047ab0a5f1
                                                                                                                                                                                                                                • Instruction ID: 7d4974388664502c95e5ccc8b4aa0ffa5406aa31af2be7fa0315efb479bb49c9
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e9cf3489e6d468290f3cf0d8e99a7c18e26fb1c2639b311f24af8a047ab0a5f1
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 12F0AF32B402016BD714AB3EAC9592F7A9EFBC52903404539E41ACB304EFA4DC058790
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 0166257F Relevance: .0, Instructions: 39COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000003.00000002.3386624763.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_1660000_CasPol.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 3b9d1fec0311b92a77246590533d4f64680ad273f0cbcc1796073d444f4adf5e
                                                                                                                                                                                                                                • Instruction ID: 1b8b06f8a14f94f391c97627b33d8b22413bda9e6ecbbc8bea1e7e7429e2e888
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3b9d1fec0311b92a77246590533d4f64680ad273f0cbcc1796073d444f4adf5e
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2BF0F031B043456FD7165B78AC1096A7FFAFFCA620B0441AEE41EC3392CEAC4D169396
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 01661752 Relevance: .0, Instructions: 39COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000003.00000002.3386624763.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_1660000_CasPol.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 67124e07c3911c2e77cb044801abb4f4d3d6f8a514f82cf3f9108643fe0a11f3
                                                                                                                                                                                                                                • Instruction ID: 64e53241f6bd5f2abc0de11b545e395344db83b0cd6fda64c38310d406fb4112
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 67124e07c3911c2e77cb044801abb4f4d3d6f8a514f82cf3f9108643fe0a11f3
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1301DC317402018FCB11EB68E9805BDBBE3EFC8300B148429C4179B364DF7AEC468B92
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 01660957 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000003.00000002.3386624763.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_1660000_CasPol.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: b600bf7b4f0389d4f888984bdd4ab9d881df4e9778c12ef0401811c6d0e98ee6
                                                                                                                                                                                                                                • Instruction ID: 3f415f05d832dca7e62dc4d35b784329c9bfd65945315a019db2f39d1f8776db
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: b600bf7b4f0389d4f888984bdd4ab9d881df4e9778c12ef0401811c6d0e98ee6
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7DF04F30B51115CBCF54EFA9C854B7E76AABB88704F25053DE402AB3A4CF789D028BD5
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 01661BE8 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000003.00000002.3386624763.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_1660000_CasPol.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 48ff145b746060497bcdabced7bd6cc66cbed0745f224521aa9017db2416b7f1
                                                                                                                                                                                                                                • Instruction ID: 14f640f2f1db774c68e9ea373004213d1e2400d3fca3f80438e19c10c43e68b7
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 48ff145b746060497bcdabced7bd6cc66cbed0745f224521aa9017db2416b7f1
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 48F0E9357041955FD7015B6C9C405663BAAEBCB75070941E6D409C7341CEA46C0753E3
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 01661578 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000003.00000002.3386624763.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_1660000_CasPol.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 601984828c27de8c66db270bfa9713e0ff5f543872ee634dd3e9027108408298
                                                                                                                                                                                                                                • Instruction ID: bab2e85a594892c09c4a9e7a6e79c1d2f1a9afcae8e30802c4cb6f1790166e96
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 601984828c27de8c66db270bfa9713e0ff5f543872ee634dd3e9027108408298
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: FEF0E2326006011BC306AB7DD8108BFBADABEC2254344497ED119CB764EE51EC0A87D6
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 01661C40 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000003.00000002.3386624763.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_1660000_CasPol.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 39f5ccdf6b7ee955d692cb2b8a11f133bce588832d8e93eb8d656f2b22abdb67
                                                                                                                                                                                                                                • Instruction ID: 2abacad0cefc1f006365bffdf108ea51c9dfca81984dc0c82f2f6413b63326cb
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 39f5ccdf6b7ee955d692cb2b8a11f133bce588832d8e93eb8d656f2b22abdb67
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7FF0923091934AEFCB41DFB8DE9589DBFF4EB16300B1440E9C404DB215EA325E059B51
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 01661C50 Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000003.00000002.3386624763.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_1660000_CasPol.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 198deb75d362c58b4c6fb9852fb1c7616aab18c5f667d1aaf9b27fb69e84f51b
                                                                                                                                                                                                                                • Instruction ID: 1cefaf65bab77d5d1d61f28e5475f742a6e384934efbb949cb4058606662e994
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 198deb75d362c58b4c6fb9852fb1c7616aab18c5f667d1aaf9b27fb69e84f51b
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 89D01770A00109EF8B40DFA8EA8199EBBB9EB44300B1045A9D808D3200EA326E049B80
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Execution Graph

                                                                                                                                                                                                                                Execution Coverage:5.5%
                                                                                                                                                                                                                                Dynamic/Decrypted Code Coverage:2.8%
                                                                                                                                                                                                                                Signature Coverage:12.3%
                                                                                                                                                                                                                                Total number of Nodes:1012
                                                                                                                                                                                                                                Total number of Limit Nodes:14
                                                                                                                                                                                                                                execution_graph 38033 41aed0 38038 41ac9e 38033->38038 38037 41aef8 38039 41acc9 38038->38039 38046 41ae12 38039->38046 38053 422bb9 46 API calls 2 library calls 38039->38053 38041 41aebc 38057 410905 26 API calls _Deallocate 38041->38057 38043 41ae1b 38043->38037 38050 41a222 38043->38050 38045 41ae5c 38045->38046 38054 422bb9 46 API calls 2 library calls 38045->38054 38046->38043 38056 412381 20 API calls __dosmaperr 38046->38056 38048 41ae7b 38048->38046 38055 422bb9 46 API calls 2 library calls 38048->38055 38058 419bf7 38050->38058 38052 41a23d 38052->38037 38053->38045 38054->38048 38055->38046 38056->38041 38057->38043 38060 419c03 CallCatchBlock 38058->38060 38059 419c11 38076 412381 20 API calls __dosmaperr 38059->38076 38060->38059 38062 419c4a 38060->38062 38069 41a1d1 38062->38069 38063 419c16 38077 410905 26 API calls _Deallocate 38063->38077 38068 419c20 __wsopen_s 38068->38052 38079 4227a8 38069->38079 38072 419c6e 38078 419c97 LeaveCriticalSection __wsopen_s 38072->38078 38076->38063 38077->38068 38078->38068 38080 4227b4 38079->38080 38081 4227cb 38079->38081 38156 412381 20 API calls __dosmaperr 38080->38156 38082 4227d3 38081->38082 38083 4227ea 38081->38083 38158 412381 20 API calls __dosmaperr 38082->38158 38160 4172ce 10 API calls 2 library calls 38083->38160 38087 4227b9 38157 410905 26 API calls _Deallocate 38087->38157 38088 4227d8 38159 410905 26 API calls _Deallocate 38088->38159 38089 4227f1 MultiByteToWideChar 38092 422820 38089->38092 38093 422810 GetLastError 38089->38093 38162 417a45 38092->38162 38161 41234b 20 API calls __dosmaperr 38093->38161 38096 41a1e7 38096->38072 38103 41a242 38096->38103 38098 422850 38101 41629a _free 20 API calls 38098->38101 38099 42282f MultiByteToWideChar 38099->38098 38100 422844 GetLastError 38099->38100 38169 41234b 20 API calls __dosmaperr 38100->38169 38101->38096 38104 41a25f 38103->38104 38105 41a274 38104->38105 38106 41a28d 38104->38106 38186 41236e 20 API calls __dosmaperr 38105->38186 38172 41e6a7 38106->38172 38109 41a279 38187 412381 20 API calls __dosmaperr 38109->38187 38110 41a292 38111 41a2b2 38110->38111 38112 41a29b 38110->38112 38185 419f10 CreateFileW 38111->38185 38188 41236e 20 API calls __dosmaperr 38112->38188 38116 41a20f 38150 41629a 38116->38150 38117 41a2a0 38189 412381 20 API calls __dosmaperr 38117->38189 38118 41a368 GetFileType 38121 41a373 GetLastError 38118->38121 38122 41a3ba 38118->38122 38120 41a33d GetLastError 38191 41234b 20 API calls __dosmaperr 38120->38191 38192 41234b 20 API calls __dosmaperr 38121->38192 38194 41e5f0 21 API calls 2 library calls 38122->38194 38123 41a2eb 38123->38118 38123->38120 38190 419f10 CreateFileW 38123->38190 38127 41a381 CloseHandle 38127->38109 38128 41a3aa 38127->38128 38193 412381 20 API calls __dosmaperr 38128->38193 38130 41a330 38130->38118 38130->38120 38132 41a3db 38134 41a420 38132->38134 38137 41a427 38132->38137 38133 41a3af 38133->38109 38195 41a121 72 API calls 3 library calls 38134->38195 38140 41a454 38137->38140 38196 419cc3 73 API calls 5 library calls 38137->38196 38138 41a44d 38139 41a465 38138->38139 38138->38140 38142 41a4e3 CloseHandle 38139->38142 38146 41a45d 38139->38146 38197 4163fd 29 API calls 2 library calls 38140->38197 38198 419f10 CreateFileW 38142->38198 38144 41a50e 38145 41a518 GetLastError 38144->38145 38144->38146 38199 41234b 20 API calls __dosmaperr 38145->38199 38146->38116 38148 41a524 38200 41e7b9 21 API calls 2 library calls 38148->38200 38151 4162ce __dosmaperr 38150->38151 38152 4162a5 RtlFreeHeap 38150->38152 38151->38072 38152->38151 38153 4162ba 38152->38153 38208 412381 20 API calls __dosmaperr 38153->38208 38155 4162c0 GetLastError 38155->38151 38156->38087 38157->38096 38158->38088 38159->38096 38160->38089 38161->38096 38163 417a83 38162->38163 38168 417a53 CallUnexpected 38162->38168 38171 412381 20 API calls __dosmaperr 38163->38171 38164 417a6e RtlAllocateHeap 38166 417a81 38164->38166 38164->38168 38166->38098 38166->38099 38168->38163 38168->38164 38170 412ede 7 API calls 2 library calls 38168->38170 38169->38098 38170->38168 38171->38166 38173 41e6b3 CallCatchBlock 38172->38173 38201 4119fb EnterCriticalSection 38173->38201 38175 41e6ba 38176 41e6df 38175->38176 38181 41e74d EnterCriticalSection 38175->38181 38184 41e701 38175->38184 38205 41e486 21 API calls 2 library calls 38176->38205 38179 41e72a __wsopen_s 38179->38110 38180 41e6e4 38180->38184 38206 41e5cd EnterCriticalSection 38180->38206 38182 41e75a LeaveCriticalSection 38181->38182 38181->38184 38182->38175 38202 41e7b0 38184->38202 38185->38123 38186->38109 38187->38116 38188->38117 38189->38109 38190->38130 38191->38109 38192->38127 38193->38133 38194->38132 38195->38137 38196->38138 38197->38146 38198->38144 38199->38148 38200->38146 38201->38175 38207 411a43 LeaveCriticalSection 38202->38207 38204 41e7b7 38204->38179 38205->38180 38206->38184 38207->38204 38208->38155 38209 408273 38210 40828f 38209->38210 38213 40831c std::_Xfsopen 29 API calls 38210->38213 38214 4082ce 38210->38214 38218 4082db 38210->38218 38213->38214 38216 4082d5 38214->38216 38219 40831c 38214->38219 38216->38218 38225 40e228 67 API calls 5 library calls 38216->38225 38226 411d27 38219->38226 38221 4082ee 38221->38218 38222 4106ef 38221->38222 38280 41049b 38222->38280 38224 410705 38224->38216 38225->38218 38228 411c66 CallCatchBlock 38226->38228 38227 411c80 38251 412381 20 API calls __dosmaperr 38227->38251 38228->38227 38231 411cad 38228->38231 38230 411c85 38252 410905 26 API calls _Deallocate 38230->38252 38232 411cb2 38231->38232 38233 411cbf 38231->38233 38253 412381 20 API calls __dosmaperr 38232->38253 38243 416499 38233->38243 38237 411cc8 38238 411cdc std::_Xfsopen 38237->38238 38239 411ccf 38237->38239 38255 411d10 LeaveCriticalSection __fread_nolock _Xfiopen 38238->38255 38254 412381 20 API calls __dosmaperr 38239->38254 38241 411c90 __wsopen_s 38241->38221 38244 4164a5 CallCatchBlock 38243->38244 38256 4119fb EnterCriticalSection 38244->38256 38246 4164b3 38257 416533 38246->38257 38250 4164e4 __wsopen_s 38250->38237 38251->38230 38252->38241 38253->38241 38254->38241 38255->38241 38256->38246 38261 416556 38257->38261 38258 4164c0 38271 4164ef 38258->38271 38259 4165af 38276 41704e 20 API calls 3 library calls 38259->38276 38261->38258 38261->38259 38274 40e81d EnterCriticalSection 38261->38274 38275 40e831 LeaveCriticalSection 38261->38275 38263 4165b8 38264 41629a _free 20 API calls 38263->38264 38265 4165c1 38264->38265 38265->38258 38277 4175b5 11 API calls 2 library calls 38265->38277 38267 4165e0 38278 40e81d EnterCriticalSection 38267->38278 38270 4165f3 38270->38258 38279 411a43 LeaveCriticalSection 38271->38279 38273 4164f6 38273->38250 38274->38261 38275->38261 38276->38263 38277->38267 38278->38270 38279->38273 38283 4104a7 CallCatchBlock 38280->38283 38281 4104b3 38305 412381 20 API calls __dosmaperr 38281->38305 38282 4104d9 38293 40e81d EnterCriticalSection 38282->38293 38283->38281 38283->38282 38286 4104b8 38306 410905 26 API calls _Deallocate 38286->38306 38287 4104e5 38294 4105fb 38287->38294 38290 4104f9 38307 410518 LeaveCriticalSection __fread_nolock 38290->38307 38292 4104c3 __wsopen_s 38292->38224 38293->38287 38295 41061d 38294->38295 38296 41060d 38294->38296 38308 410522 38295->38308 38321 412381 20 API calls __dosmaperr 38296->38321 38299 410612 38299->38290 38300 4106bf 38300->38290 38301 410640 _Xfiopen 38301->38300 38312 40dfcb 38301->38312 38305->38286 38306->38292 38307->38292 38309 410535 38308->38309 38311 41052e _Xfiopen 38308->38311 38310 419800 __fread_nolock 28 API calls 38309->38310 38309->38311 38310->38311 38311->38301 38313 40dfe3 38312->38313 38314 40dfdf 38312->38314 38313->38314 38322 4154e8 38313->38322 38318 419800 38314->38318 38316 40e003 38329 415fa3 62 API calls 5 library calls 38316->38329 38332 419767 38318->38332 38321->38299 38323 4154f4 38322->38323 38324 415509 38322->38324 38330 412381 20 API calls __dosmaperr 38323->38330 38324->38316 38326 4154f9 38331 410905 26 API calls _Deallocate 38326->38331 38328 415504 38328->38316 38329->38314 38330->38326 38331->38328 38341 41e84a 38332->38341 38334 419779 38335 419781 38334->38335 38336 419792 SetFilePointerEx 38334->38336 38354 412381 20 API calls __dosmaperr 38335->38354 38338 419786 38336->38338 38339 4197aa GetLastError 38336->38339 38338->38300 38355 41234b 20 API calls __dosmaperr 38339->38355 38342 41e857 38341->38342 38343 41e86c 38341->38343 38356 41236e 20 API calls __dosmaperr 38342->38356 38347 41e891 38343->38347 38358 41236e 20 API calls __dosmaperr 38343->38358 38346 41e85c 38357 412381 20 API calls __dosmaperr 38346->38357 38347->38334 38348 41e89c 38359 412381 20 API calls __dosmaperr 38348->38359 38351 41e864 38351->38334 38352 41e8a4 38360 410905 26 API calls _Deallocate 38352->38360 38354->38338 38355->38338 38356->38346 38357->38351 38358->38348 38359->38352 38360->38351 38361 416ec2 38362 416ecf 38361->38362 38366 416ee7 38361->38366 38411 412381 20 API calls __dosmaperr 38362->38411 38364 416ed4 38412 410905 26 API calls _Deallocate 38364->38412 38367 416edf 38366->38367 38368 416f42 38366->38368 38413 418c55 21 API calls 2 library calls 38366->38413 38369 4154e8 __fread_nolock 26 API calls 38368->38369 38371 416f5a 38369->38371 38381 41919a 38371->38381 38373 416f61 38373->38367 38374 4154e8 __fread_nolock 26 API calls 38373->38374 38375 416f8d 38374->38375 38375->38367 38376 4154e8 __fread_nolock 26 API calls 38375->38376 38377 416f9b 38376->38377 38377->38367 38378 4154e8 __fread_nolock 26 API calls 38377->38378 38379 416fab 38378->38379 38380 4154e8 __fread_nolock 26 API calls 38379->38380 38380->38367 38382 4191a6 CallCatchBlock 38381->38382 38383 4191c6 38382->38383 38384 4191ae 38382->38384 38386 41928c 38383->38386 38390 4191ff 38383->38390 38480 41236e 20 API calls __dosmaperr 38384->38480 38487 41236e 20 API calls __dosmaperr 38386->38487 38387 4191b3 38481 412381 20 API calls __dosmaperr 38387->38481 38394 419223 38390->38394 38395 41920e 38390->38395 38391 419291 38488 412381 20 API calls __dosmaperr 38391->38488 38393 4191bb __wsopen_s 38393->38373 38414 41e5cd EnterCriticalSection 38394->38414 38482 41236e 20 API calls __dosmaperr 38395->38482 38398 419229 38400 419245 38398->38400 38401 41925a 38398->38401 38399 419213 38483 412381 20 API calls __dosmaperr 38399->38483 38484 412381 20 API calls __dosmaperr 38400->38484 38415 4192ad 38401->38415 38406 41921b 38489 410905 26 API calls _Deallocate 38406->38489 38407 41924a 38485 41236e 20 API calls __dosmaperr 38407->38485 38408 419255 38486 419284 LeaveCriticalSection __wsopen_s 38408->38486 38411->38364 38412->38367 38413->38368 38414->38398 38416 4192d7 38415->38416 38417 4192bf 38415->38417 38419 419641 38416->38419 38422 41931c 38416->38422 38499 41236e 20 API calls __dosmaperr 38417->38499 38513 41236e 20 API calls __dosmaperr 38419->38513 38420 4192c4 38500 412381 20 API calls __dosmaperr 38420->38500 38425 419327 38422->38425 38428 4192cc 38422->38428 38433 419357 38422->38433 38424 419646 38514 412381 20 API calls __dosmaperr 38424->38514 38501 41236e 20 API calls __dosmaperr 38425->38501 38428->38408 38429 419334 38515 410905 26 API calls _Deallocate 38429->38515 38430 41932c 38502 412381 20 API calls __dosmaperr 38430->38502 38434 419370 38433->38434 38435 4193b2 38433->38435 38436 419396 38433->38436 38434->38436 38442 41937d 38434->38442 38439 417a45 std::_Locinfo::_Locinfo_ctor 21 API calls 38435->38439 38503 41236e 20 API calls __dosmaperr 38436->38503 38438 41939b 38504 412381 20 API calls __dosmaperr 38438->38504 38443 4193c9 38439->38443 38490 4210f9 38442->38490 38446 41629a _free 20 API calls 38443->38446 38444 4193a2 38505 410905 26 API calls _Deallocate 38444->38505 38445 41951b 38448 419591 38445->38448 38451 419534 GetConsoleMode 38445->38451 38449 4193d2 38446->38449 38450 419595 ReadFile 38448->38450 38452 41629a _free 20 API calls 38449->38452 38453 419609 GetLastError 38450->38453 38454 4195af 38450->38454 38451->38448 38455 419545 38451->38455 38456 4193d9 38452->38456 38457 419616 38453->38457 38458 41956d 38453->38458 38454->38453 38459 419586 38454->38459 38455->38450 38460 41954b ReadConsoleW 38455->38460 38461 4193e3 38456->38461 38462 4193fe 38456->38462 38511 412381 20 API calls __dosmaperr 38457->38511 38466 4193ad __fread_nolock 38458->38466 38508 41234b 20 API calls __dosmaperr 38458->38508 38459->38466 38474 4195d4 38459->38474 38475 4195eb 38459->38475 38460->38459 38465 419567 GetLastError 38460->38465 38506 412381 20 API calls __dosmaperr 38461->38506 38464 419800 __fread_nolock 28 API calls 38462->38464 38464->38442 38465->38458 38467 41629a _free 20 API calls 38466->38467 38467->38428 38469 4193e8 38507 41236e 20 API calls __dosmaperr 38469->38507 38470 41961b 38512 41236e 20 API calls __dosmaperr 38470->38512 38509 418fc9 31 API calls 2 library calls 38474->38509 38475->38466 38477 419602 38475->38477 38510 418e09 29 API calls __fread_nolock 38477->38510 38479 419607 38479->38466 38480->38387 38481->38393 38482->38399 38483->38406 38484->38407 38485->38408 38486->38393 38487->38391 38488->38406 38489->38393 38491 421113 38490->38491 38492 421106 38490->38492 38495 42111f 38491->38495 38517 412381 20 API calls __dosmaperr 38491->38517 38516 412381 20 API calls __dosmaperr 38492->38516 38494 42110b 38494->38445 38495->38445 38497 421140 38518 410905 26 API calls _Deallocate 38497->38518 38499->38420 38500->38428 38501->38430 38502->38429 38503->38438 38504->38444 38505->38466 38506->38469 38507->38466 38508->38466 38509->38466 38510->38479 38511->38470 38512->38466 38513->38424 38514->38429 38515->38428 38516->38494 38517->38497 38518->38494 38519 409385 38520 409391 CallCatchBlock 38519->38520 38551 40959e 38520->38551 38522 409398 38523 4094eb 38522->38523 38526 4093c2 38522->38526 38648 409a73 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 38523->38648 38525 4094f2 38639 413b51 38525->38639 38535 409401 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 38526->38535 38642 413876 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 38526->38642 38531 4093db 38533 4093e1 38531->38533 38643 41381a 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 38531->38643 38541 409462 38535->38541 38644 40e677 39 API calls 5 library calls 38535->38644 38562 409b8d 38541->38562 38552 4095a7 38551->38552 38650 409d1b IsProcessorFeaturePresent 38552->38650 38554 4095b3 38651 40c907 10 API calls 3 library calls 38554->38651 38556 4095b8 38557 4095bc 38556->38557 38652 415329 IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 38556->38652 38557->38522 38559 4095c5 38560 4095d3 38559->38560 38653 40c930 8 API calls 3 library calls 38559->38653 38560->38522 38654 40b5a0 38562->38654 38564 409ba0 GetStartupInfoW 38565 409468 38564->38565 38566 4137c7 38565->38566 38656 41e091 38566->38656 38568 4137d0 38569 409471 38568->38569 38660 41e39b 38 API calls 38568->38660 38571 424a0e 38569->38571 38572 424a1e _Xfiopen 38571->38572 38662 401b1e 38572->38662 38574 424a4c 38665 403498 38574->38665 38579 401b1e 27 API calls 38580 424aac 38579->38580 38672 426235 38580->38672 38583 401b1e 27 API calls 38584 424ac5 GetModuleFileNameA 38583->38584 38585 401b1e 27 API calls 38584->38585 38586 424aef 38585->38586 38692 425e92 38586->38692 38588 424aff 38589 401b1e 27 API calls 38588->38589 38590 424f9a 38589->38590 38711 4034e3 38590->38711 38592 424fc4 38719 4263e5 38592->38719 38594 425103 38782 425fff 38594->38782 38596 4252c6 38597 401b1e 27 API calls 38596->38597 38598 425492 38597->38598 38796 40356f 38598->38796 38600 4254af 38601 4263e5 63 API calls 38600->38601 38602 425536 38601->38602 38603 4263e5 63 API calls 38602->38603 38606 425710 ___scrt_fastfail 38603->38606 38604 425def 38824 4019f8 26 API calls 38604->38824 38606->38604 38804 4260e7 38606->38804 38612 401b1e 27 API calls 38614 425757 38612->38614 38811 42615f 38614->38811 38617 42575c 38618 4263e5 63 API calls 38617->38618 38619 4259ea ___scrt_fastfail 38618->38619 38620 425a06 GetTempPathA 38619->38620 38627 425b9a 38619->38627 38621 425a23 38620->38621 38818 4261d1 38621->38818 38624 401b1e 27 API calls 38625 425b95 38624->38625 38626 42615f 29 API calls 38625->38626 38626->38627 38628 4263e5 63 API calls 38627->38628 38631 425d84 ___scrt_fastfail 38628->38631 38633 4260e7 54 API calls 38631->38633 38635 425dca 38631->38635 38634 425daf 38633->38634 38634->38635 38636 401b1e 27 API calls 38634->38636 38823 4019f8 26 API calls 38635->38823 38637 425dc5 38636->38637 38638 42615f 29 API calls 38637->38638 38638->38635 39278 4138ce 38639->39278 38642->38531 38643->38535 38644->38541 38648->38525 38650->38554 38651->38556 38652->38559 38653->38557 38655 40b5b7 38654->38655 38655->38564 38655->38655 38657 41e09a 38656->38657 38658 41e0a3 38656->38658 38661 41df90 51 API calls 5 library calls 38657->38661 38658->38568 38660->38568 38661->38658 38825 402c50 38662->38825 38666 4034c0 38665->38666 38667 4034d9 38665->38667 38666->38667 38834 40e509 46 API calls 38666->38834 38669 401b52 38667->38669 38835 402d13 38669->38835 38671 401b68 38671->38579 38673 42623f __EH_prolog 38672->38673 38866 403e0c 38673->38866 38675 426263 38675->38675 38676 402c71 27 API calls 38675->38676 38677 4262c8 38676->38677 38880 404097 38677->38880 38679 426377 38683 426393 std::ios_base::_Ios_base_dtor 38679->38683 38897 40387f 26 API calls 2 library calls 38679->38897 38682 42634f 38684 402c50 27 API calls 38682->38684 38893 402bef 38683->38893 38688 42636f 38684->38688 38685 402c71 27 API calls 38685->38682 38690 402bef 26 API calls 38688->38690 38689 402bef 26 API calls 38691 424ab8 38689->38691 38690->38679 38691->38583 38693 425e9c __EH_prolog 38692->38693 39027 401bb2 38693->39027 38698 425efb 39043 401a16 38698->39043 38699 425edf 39064 401b6f 68 API calls 38699->39064 38702 425f08 39046 4024a1 38702->39046 38706 425ef2 std::ios_base::_Ios_base_dtor 38706->38588 38709 425f56 39066 401b6f 68 API calls 38709->39066 38712 4034ed __EH_prolog 38711->38712 39210 401056 38712->39210 38714 403513 38715 401056 50 API calls 38714->38715 38716 403542 38715->38716 39214 40399f 38716->39214 38718 403553 38718->38592 38720 4263ef __EH_prolog 38719->38720 38721 401b1e 27 API calls 38720->38721 38722 4267b8 38721->38722 39252 401aa1 38722->39252 38724 4267ce 38725 401aa1 27 API calls 38724->38725 38726 426855 38725->38726 38727 401aa1 27 API calls 38726->38727 38728 426862 38727->38728 38729 401aa1 27 API calls 38728->38729 38730 4268c5 38729->38730 38731 401aa1 27 API calls 38730->38731 38732 4268d6 38731->38732 38733 401aa1 27 API calls 38732->38733 38734 4268e3 38733->38734 38735 401aa1 27 API calls 38734->38735 38736 42698e 38735->38736 38737 401aa1 27 API calls 38736->38737 38738 426c85 38737->38738 38739 401aa1 27 API calls 38738->38739 38740 426f34 38739->38740 38741 401aa1 27 API calls 38740->38741 38767 426f41 38741->38767 38742 42705d 38743 401aa1 27 API calls 38742->38743 38744 42706a WSAStartup 38743->38744 38745 427084 socket 38744->38745 38768 4272bb 38744->38768 38746 4270b1 38745->38746 38747 42709c 38745->38747 38749 4270b9 gethostbyname 38746->38749 38748 4270a5 WSACleanup 38747->38748 38750 42746c 38748->38750 38751 4270ca __Strxfrm 38749->38751 38749->38768 38750->38594 38753 4270dd htons connect 38751->38753 38752 42745f WSACleanup closesocket 38752->38750 38754 42710c 38753->38754 38753->38768 38755 42711e send 38754->38755 38756 42712e 38755->38756 38755->38768 38757 427134 send 38756->38757 38763 42714a ___scrt_fastfail 38756->38763 38757->38763 38757->38768 38758 427170 recv 38758->38763 38758->38768 38759 4272ae 38760 4272b5 38759->38760 38762 4273f6 38759->38762 38780 4272ca 38759->38780 38760->38768 38760->38780 38761 412faf 46 API calls 38761->38763 38764 427416 recv 38762->38764 38762->38768 38763->38758 38763->38759 38763->38761 38763->38768 39258 411957 42 API calls 38763->39258 38764->38762 38764->38768 38765 4272ee recv 38765->38768 38765->38780 38767->38742 38769 401aa1 27 API calls 38767->38769 38768->38752 38771 42702d 38769->38771 38770 4273e9 38770->38768 39256 403ae1 27 API calls 38771->39256 38774 427038 39257 401ac2 27 API calls 38774->39257 38776 427045 38779 401aa1 27 API calls 38776->38779 38778 42738b recv 38778->38768 38778->38780 38779->38742 38780->38765 38780->38768 38780->38770 38780->38778 38781 4273b6 recv 38780->38781 39259 411957 42 API calls 38780->39259 39260 425fed 22 API calls 38780->39260 38781->38768 38781->38780 39266 427488 38782->39266 38784 426009 RegCreateKeyExA 38785 4260c7 38784->38785 38788 42603c 38784->38788 38786 4260d6 38785->38786 38787 4260cd RegCloseKey 38785->38787 38786->38596 38787->38786 38788->38788 38789 402c71 27 API calls 38788->38789 38790 426065 38789->38790 38791 402c71 27 API calls 38790->38791 38792 42608e RegSetValueExA 38791->38792 38793 402bef 26 API calls 38792->38793 38794 4260bf 38793->38794 38795 402bef 26 API calls 38794->38795 38795->38785 38797 403579 __EH_prolog 38796->38797 38798 401056 50 API calls 38797->38798 38799 40359c 38798->38799 38800 401056 50 API calls 38799->38800 38801 4035c8 38800->38801 38802 40399f 27 API calls 38801->38802 38803 4035d9 38802->38803 38803->38600 38805 4260fd 38804->38805 38806 425741 38805->38806 39267 410c7b 38805->39267 38806->38612 38806->38617 38808 426118 38809 426121 CreateFileA 38808->38809 38809->38806 38810 42613d WriteFile CloseHandle 38809->38810 38810->38806 38812 426170 38811->38812 38812->38812 38813 426178 ShellExecuteExA 38812->38813 38814 4261c4 38813->38814 38815 4261ad WaitForSingleObject CloseHandle 38813->38815 38816 402bef 26 API calls 38814->38816 38815->38814 38817 4261cc 38816->38817 38817->38617 38819 4261e6 38818->38819 38820 4261f6 CreateFileA 38819->38820 38821 425b7f 38819->38821 38820->38821 38822 426213 WriteFile CloseHandle 38820->38822 38821->38624 38821->38627 38822->38821 38826 402c5a 38825->38826 38826->38826 38829 402c71 38826->38829 38828 401b3a 38828->38574 38830 402ca4 38829->38830 38832 402c80 BuildCatchObjectHelperInternal 38829->38832 38833 40373e 27 API calls 2 library calls 38830->38833 38832->38828 38833->38832 38834->38666 38836 402d2a 38835->38836 38838 402d31 __Strxfrm 38836->38838 38839 403859 38836->38839 38838->38671 38840 403866 38839->38840 38841 40386f 38839->38841 38846 4039ce 38840->38846 38843 40387b 38841->38843 38855 409256 38841->38855 38843->38838 38844 40386c 38844->38838 38847 409256 std::_Facet_Register 8 API calls 38846->38847 38848 4039e5 38847->38848 38849 4039f7 38848->38849 38850 4039ec 38848->38850 38862 41088a 26 API calls 4 library calls 38849->38862 38850->38844 38852 410924 38863 410932 11 API calls _abort 38852->38863 38854 410931 38856 40925b ___std_exception_copy 38855->38856 38857 409275 38856->38857 38859 409277 std::_Facet_Register 38856->38859 38864 412ede 7 API calls 2 library calls 38856->38864 38857->38844 38865 40aa2b RaiseException 38859->38865 38861 40996c 38862->38852 38863->38854 38864->38856 38865->38861 38867 403e16 __EH_prolog 38866->38867 38898 407d73 38867->38898 38869 403e38 38908 404189 38869->38908 38875 403e7f 38946 4044e5 38875->38946 38877 403e8b 38967 4043fe 38877->38967 38881 4040a1 __EH_prolog 38880->38881 38882 4040b2 38881->38882 39020 40429b 27 API calls __EH_prolog 38881->39020 38882->38679 38882->38682 38882->38685 38884 4040d9 39021 404777 27 API calls 38884->39021 38886 4040e9 38889 404144 38886->38889 38892 404152 38886->38892 39022 404777 27 API calls 38886->39022 39023 404579 26 API calls 38886->39023 39024 404777 27 API calls 38889->39024 39025 404238 26 API calls _Deallocate 38892->39025 38894 402c03 38893->38894 38895 402bfa 38893->38895 38894->38689 39026 40387f 26 API calls 2 library calls 38895->39026 38897->38683 38899 407d7f __EH_prolog3 38898->38899 38971 407b1c 38899->38971 38904 407d9d 38985 407f02 40 API calls _Atexit 38904->38985 38905 407dfb std::locale::_Locimp::_Locimp_dtor 38905->38869 38907 407da5 _Yarn 38977 407b74 38907->38977 38909 404193 __EH_prolog 38908->38909 38910 407b1c std::_Lockit::_Lockit 2 API calls 38909->38910 38911 4041a2 38910->38911 38990 401318 38911->38990 38913 4041b9 std::locale::_Getfacet 38915 4041cc 38913->38915 38996 40436e 55 API calls 3 library calls 38913->38996 38914 407b74 std::_Lockit::~_Lockit 2 API calls 38916 403e49 38914->38916 38915->38914 38924 4033ea 38916->38924 38918 4041dc 38919 4041e3 38918->38919 38921 404219 38918->38921 38997 407d41 8 API calls std::_Facet_Register 38919->38997 38998 40aa2b RaiseException 38921->38998 38923 40422f 38925 4033f4 __EH_prolog 38924->38925 38926 407b1c std::_Lockit::_Lockit 2 API calls 38925->38926 38927 403403 38926->38927 38928 401318 int 4 API calls 38927->38928 38929 40341a std::locale::_Getfacet 38928->38929 38930 40342d 38929->38930 38999 401429 55 API calls 2 library calls 38929->38999 38931 407b74 std::_Lockit::~_Lockit 2 API calls 38930->38931 38933 40346a 38931->38933 38940 404424 38933->38940 38934 40343d 38935 403444 38934->38935 38936 40347a 38934->38936 39000 407d41 8 API calls std::_Facet_Register 38935->39000 39001 40aa2b RaiseException 38936->39001 38939 403490 38941 40442e __EH_prolog 38940->38941 39002 404d6b 38941->39002 38943 404463 38944 409256 std::_Facet_Register 8 API calls 38943->38944 38945 40447e 38944->38945 38945->38875 38947 4044ef __EH_prolog 38946->38947 39014 405177 8 API calls std::_Facet_Register 38947->39014 38949 40450d 39015 405025 29 API calls std::_Facet_Register 38949->39015 38951 404517 38952 404571 38951->38952 38953 40451e 38951->38953 39018 404efe 27 API calls 38952->39018 39016 405119 8 API calls std::_Facet_Register 38953->39016 38956 404528 39017 405e85 8 API calls std::_Facet_Register 38956->39017 38959 404531 38959->38877 38968 403eb8 38967->38968 38969 404406 38967->38969 38968->38675 39019 40387f 26 API calls 2 library calls 38969->39019 38972 407b2b 38971->38972 38973 407b32 38971->38973 38986 411a5a EnterCriticalSection std::_Lockit::_Lockit 38972->38986 38976 407b30 38973->38976 38987 408745 EnterCriticalSection 38973->38987 38976->38907 38984 407edf 8 API calls 2 library calls 38976->38984 38978 411a63 38977->38978 38979 407b7e 38977->38979 38989 411a43 LeaveCriticalSection 38978->38989 38980 407b91 38979->38980 38988 408753 LeaveCriticalSection 38979->38988 38980->38905 38983 411a6a 38983->38905 38984->38904 38985->38907 38986->38976 38987->38976 38988->38980 38989->38983 38991 401324 38990->38991 38992 401348 38990->38992 38993 407b1c std::_Lockit::_Lockit 2 API calls 38991->38993 38992->38913 38994 40132e 38993->38994 38995 407b74 std::_Lockit::~_Lockit 2 API calls 38994->38995 38995->38992 38996->38918 38997->38915 38998->38923 38999->38934 39000->38930 39001->38939 39005 404eb6 39002->39005 39004 404d85 39004->38943 39004->39004 39006 404ed2 39005->39006 39011 404ece 39005->39011 39007 404ef8 39006->39007 39008 404eda 39006->39008 39013 4030f6 27 API calls 39007->39013 39009 403859 27 API calls 39008->39009 39009->39011 39011->39004 39014->38949 39015->38951 39016->38956 39017->38959 39019->38968 39020->38884 39021->38886 39022->38886 39023->38886 39024->38892 39026->38894 39028 401bbc __EH_prolog 39027->39028 39067 40307c 39028->39067 39034 401c1f 39035 401c51 39034->39035 39085 40187f 42 API calls 2 library calls 39034->39085 39037 402403 39035->39037 39038 40240d __EH_prolog 39037->39038 39103 402b06 39038->39103 39041 402441 39041->38698 39041->38699 39157 402baa 39043->39157 39045 401a30 ___scrt_fastfail 39045->38702 39047 4024ab __EH_prolog 39046->39047 39048 4024e4 39047->39048 39166 40187f 42 API calls 2 library calls 39047->39166 39050 402b06 42 API calls 39048->39050 39051 4024ee 39050->39051 39052 402551 39051->39052 39055 401d87 65 API calls 39051->39055 39056 40257c 39052->39056 39053 402511 39053->39052 39167 40187f 42 API calls 2 library calls 39053->39167 39055->39053 39057 402586 __EH_prolog 39056->39057 39058 402b06 42 API calls 39057->39058 39061 4025a8 39058->39061 39059 4025d8 39060 40265a 39059->39060 39172 40187f 42 API calls 2 library calls 39059->39172 39065 402b87 26 API calls _Deallocate 39060->39065 39061->39059 39168 401f2b 39061->39168 39064->38706 39065->38709 39066->38706 39068 403086 __EH_prolog 39067->39068 39086 403175 39068->39086 39071 402fe5 39072 402fef __EH_prolog 39071->39072 39073 409256 std::_Facet_Register 8 API calls 39072->39073 39074 403005 39073->39074 39075 407d73 std::locale::_Init 43 API calls 39074->39075 39076 403013 39075->39076 39097 402e7b 39076->39097 39079 402f6b 39080 402f75 __EH_prolog 39079->39080 39081 402e7b 26 API calls 39080->39081 39084 402fbf std::ios_base::_Ios_base_dtor 39080->39084 39082 402f9d 39081->39082 39102 4035f5 55 API calls 7 library calls 39082->39102 39084->39034 39085->39035 39087 40317f __EH_prolog 39086->39087 39088 409256 std::_Facet_Register 8 API calls 39087->39088 39089 4031b9 39088->39089 39090 407d73 std::locale::_Init 43 API calls 39089->39090 39091 4031c6 39090->39091 39092 4033ea 55 API calls 39091->39092 39093 4031f5 std::ios_base::_Ios_base_dtor 39092->39093 39094 401bec 39093->39094 39096 40187f 42 API calls 2 library calls 39093->39096 39094->39071 39096->39094 39098 401c0f 39097->39098 39099 402ed9 39097->39099 39098->39079 39101 40e7d7 26 API calls 2 library calls 39099->39101 39101->39098 39102->39084 39104 402b10 __EH_prolog 39103->39104 39115 403101 39104->39115 39107 401d87 39108 401d99 39107->39108 39109 401df4 39108->39109 39123 402dfd 39108->39123 39109->39041 39112 401de1 39112->39109 39132 40fd67 39112->39132 39116 40310b __EH_prolog 39115->39116 39117 403128 39116->39117 39121 403242 42 API calls __EH_prolog 39116->39121 39119 40241d 39117->39119 39122 40187f 42 API calls 2 library calls 39117->39122 39119->39041 39119->39107 39121->39117 39122->39119 39124 402e0d 39123->39124 39128 401dc4 39123->39128 39124->39128 39143 4022ae 39124->39143 39128->39109 39128->39112 39129 4106d4 39128->39129 39130 41049b _Xfiopen 64 API calls 39129->39130 39131 4106ea 39130->39131 39131->39112 39133 40fd72 39132->39133 39134 40fd87 39132->39134 39153 412381 20 API calls __dosmaperr 39133->39153 39142 40fd9f 39134->39142 39155 412381 20 API calls __dosmaperr 39134->39155 39137 40fd77 39154 410905 26 API calls _Deallocate 39137->39154 39138 40fd94 39156 410905 26 API calls _Deallocate 39138->39156 39140 40fd82 39140->39109 39142->39109 39144 4022c3 39143->39144 39145 4022ca 39143->39145 39144->39128 39150 40ea7d 65 API calls 2 library calls 39144->39150 39145->39144 39146 40230b 39145->39146 39148 40235c 39145->39148 39146->39144 39151 40dec7 28 API calls 7 library calls 39146->39151 39148->39144 39152 40ea7d 65 API calls 2 library calls 39148->39152 39150->39128 39151->39144 39152->39144 39153->39137 39154->39140 39155->39138 39156->39142 39158 402bc2 39157->39158 39159 402bc6 39157->39159 39158->39045 39160 402be9 39159->39160 39161 402bce 39159->39161 39165 4030f6 27 API calls 39160->39165 39162 403859 27 API calls 39161->39162 39162->39158 39166->39048 39167->39052 39169 401f3f 39168->39169 39170 401f52 __Strxfrm 39168->39170 39169->39059 39170->39169 39173 4102e9 39170->39173 39172->39060 39176 410306 39173->39176 39175 410301 39175->39169 39177 410312 CallCatchBlock 39176->39177 39178 410352 39177->39178 39179 410325 ___scrt_fastfail 39177->39179 39180 41034a __wsopen_s 39177->39180 39189 40e81d EnterCriticalSection 39178->39189 39203 412381 20 API calls __dosmaperr 39179->39203 39180->39175 39182 41035c 39190 41011d 39182->39190 39185 41033f 39204 410905 26 API calls _Deallocate 39185->39204 39189->39182 39193 41012f ___scrt_fastfail 39190->39193 39196 41014c 39190->39196 39191 41013c 39206 412381 20 API calls __dosmaperr 39191->39206 39193->39191 39193->39196 39198 41018f __fread_nolock 39193->39198 39194 410141 39207 410905 26 API calls _Deallocate 39194->39207 39205 410391 LeaveCriticalSection __fread_nolock 39196->39205 39197 4102ab ___scrt_fastfail 39209 412381 20 API calls __dosmaperr 39197->39209 39198->39196 39198->39197 39200 4154e8 __fread_nolock 26 API calls 39198->39200 39202 4192ad __fread_nolock 38 API calls 39198->39202 39208 410399 26 API calls 4 library calls 39198->39208 39200->39198 39202->39198 39203->39185 39204->39180 39205->39180 39206->39194 39207->39196 39208->39198 39209->39194 39211 40106d ___scrt_initialize_default_local_stdio_options 39210->39211 39218 40fd43 39211->39218 39215 4039c7 39214->39215 39216 4039bb 39214->39216 39215->38718 39217 402c71 27 API calls 39216->39217 39217->39215 39221 40ead5 39218->39221 39222 40eb15 39221->39222 39223 40eafd 39221->39223 39222->39223 39225 40eb1d 39222->39225 39245 412381 20 API calls __dosmaperr 39223->39245 39247 40e3f2 38 API calls 2 library calls 39225->39247 39226 40eb02 39246 410905 26 API calls _Deallocate 39226->39246 39229 40eb2d 39248 40eef9 20 API calls __dosmaperr 39229->39248 39232 40eba5 39249 40f0ad 50 API calls 2 library calls 39232->39249 39233 40107b 39233->38714 39236 40eb0d 39238 4097a5 39236->39238 39237 40ebb0 39250 40ef2e 20 API calls _free 39237->39250 39239 4097b0 IsProcessorFeaturePresent 39238->39239 39240 4097ae 39238->39240 39242 409efa 39239->39242 39240->39233 39251 409ebe SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 39242->39251 39244 409fdd 39244->39233 39245->39226 39246->39236 39247->39229 39248->39232 39249->39237 39250->39236 39251->39244 39253 401aab 39252->39253 39253->39253 39261 402cba 39253->39261 39255 401abd 39255->38724 39256->38774 39257->38776 39258->38763 39259->38780 39260->38780 39262 402cfa 39261->39262 39264 402cd0 BuildCatchObjectHelperInternal 39261->39264 39265 4037a9 27 API calls 2 library calls 39262->39265 39264->39255 39265->39264 39266->38784 39268 410c87 39267->39268 39269 410c9c 39267->39269 39275 412381 20 API calls __dosmaperr 39268->39275 39277 410965 51 API calls 4 library calls 39269->39277 39272 410c8c 39276 410905 26 API calls _Deallocate 39272->39276 39273 410c97 39273->38808 39275->39272 39276->39273 39277->39273 39279 4138da _abort 39278->39279 39280 4138e1 39279->39280 39281 4138f3 39279->39281 39314 413a28 GetModuleHandleW 39280->39314 39302 4119fb EnterCriticalSection 39281->39302 39284 4138e6 39284->39281 39315 413a6c GetModuleHandleExW 39284->39315 39285 413998 39303 4139d8 39285->39303 39288 41396f 39293 413987 39288->39293 39324 41381a 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 39288->39324 39291 4139e1 39326 424569 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 39291->39326 39292 4139b5 39306 4139e7 39292->39306 39325 41381a 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 39293->39325 39299 4138fa 39299->39285 39299->39288 39323 4151ba 20 API calls _abort 39299->39323 39302->39299 39327 411a43 LeaveCriticalSection 39303->39327 39305 4139b1 39305->39291 39305->39292 39328 4177fa 39306->39328 39309 413a15 39312 413a6c _abort 8 API calls 39309->39312 39310 4139f5 GetPEB 39310->39309 39311 413a05 GetCurrentProcess TerminateProcess 39310->39311 39311->39309 39313 413a1d ExitProcess 39312->39313 39314->39284 39316 413a96 GetProcAddress 39315->39316 39317 413ab9 39315->39317 39321 413aab 39316->39321 39318 413ac8 39317->39318 39319 413abf FreeLibrary 39317->39319 39320 4097a5 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 39318->39320 39319->39318 39322 4138f2 39320->39322 39321->39317 39322->39281 39323->39288 39324->39293 39325->39285 39327->39305 39329 417815 39328->39329 39330 41781f 39328->39330 39332 4097a5 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 39329->39332 39335 4171b7 5 API calls 2 library calls 39330->39335 39333 4139f1 39332->39333 39333->39309 39333->39310 39334 417836 39334->39329 39335->39334 39336 49a003c 39337 49a0049 39336->39337 39351 49a0e0f SetErrorMode SetErrorMode 39337->39351 39342 49a0265 39343 49a02ce VirtualProtect 39342->39343 39345 49a030b 39343->39345 39344 49a0439 VirtualFree 39349 49a05f4 LoadLibraryA 39344->39349 39350 49a04be 39344->39350 39345->39344 39346 49a04e3 LoadLibraryA 39346->39350 39348 49a08c7 39349->39348 39350->39346 39350->39349 39352 49a0223 39351->39352 39353 49a0d90 39352->39353 39354 49a0dad 39353->39354 39355 49a0dbb GetPEB 39354->39355 39356 49a0238 VirtualAlloc 39354->39356 39355->39356 39356->39342 39357 41870f 39358 41871b CallCatchBlock 39357->39358 39359 418727 39358->39359 39360 41873e 39358->39360 39391 412381 20 API calls __dosmaperr 39359->39391 39370 40e81d EnterCriticalSection 39360->39370 39363 41874e 39371 41878b 39363->39371 39364 41872c 39392 410905 26 API calls _Deallocate 39364->39392 39367 41875a 39393 418781 LeaveCriticalSection __fread_nolock 39367->39393 39369 418737 __wsopen_s 39370->39363 39372 4187b3 39371->39372 39373 418799 39371->39373 39374 4154e8 __fread_nolock 26 API calls 39372->39374 39397 412381 20 API calls __dosmaperr 39373->39397 39377 4187bc 39374->39377 39376 41879e 39398 410905 26 API calls _Deallocate 39376->39398 39394 4197e5 39377->39394 39381 4188c0 39383 4188cd 39381->39383 39387 418873 39381->39387 39382 418844 39385 418861 39382->39385 39382->39387 39400 412381 20 API calls __dosmaperr 39383->39400 39399 418aa4 31 API calls 4 library calls 39385->39399 39388 4187a9 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 39387->39388 39401 418920 30 API calls 2 library calls 39387->39401 39388->39367 39389 41886b 39389->39388 39391->39364 39392->39369 39393->39369 39402 419662 39394->39402 39396 4187d8 39396->39381 39396->39382 39396->39388 39397->39376 39398->39388 39399->39389 39400->39388 39401->39388 39403 41966e CallCatchBlock 39402->39403 39404 419676 39403->39404 39405 41968e 39403->39405 39428 41236e 20 API calls __dosmaperr 39404->39428 39407 419742 39405->39407 39412 4196c6 39405->39412 39433 41236e 20 API calls __dosmaperr 39407->39433 39408 41967b 39429 412381 20 API calls __dosmaperr 39408->39429 39411 419747 39434 412381 20 API calls __dosmaperr 39411->39434 39427 41e5cd EnterCriticalSection 39412->39427 39415 41974f 39435 410905 26 API calls _Deallocate 39415->39435 39416 4196cc 39418 4196f0 39416->39418 39419 419705 39416->39419 39430 412381 20 API calls __dosmaperr 39418->39430 39422 419767 __fread_nolock 28 API calls 39419->39422 39421 419683 __wsopen_s 39421->39396 39424 419700 39422->39424 39423 4196f5 39431 41236e 20 API calls __dosmaperr 39423->39431 39432 41973a LeaveCriticalSection __wsopen_s 39424->39432 39427->39416 39428->39408 39429->39421 39430->39423 39431->39424 39432->39421 39433->39411 39434->39415 39435->39421 39436 2f1efee 39437 2f1effd 39436->39437 39440 2f1f78e 39437->39440 39445 2f1f7a9 39440->39445 39441 2f1f7b2 CreateToolhelp32Snapshot 39442 2f1f7ce Module32First 39441->39442 39441->39445 39443 2f1f006 39442->39443 39444 2f1f7dd 39442->39444 39447 2f1f44d 39444->39447 39445->39441 39445->39442 39448 2f1f478 39447->39448 39449 2f1f489 VirtualAlloc 39448->39449 39450 2f1f4c1 39448->39450 39449->39450

                                                                                                                                                                                                                                Executed Functions

                                                                                                                                                                                                                                Function 00424A0E Relevance: 55.5, APIs: 2, Strings: 29, Instructions: 1273COMMON
                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                control_flow_graph 0 424a0e-424d85 call 40a0c0 call 403491 call 40197c call 401b1e call 401a8d call 401a72 call 401a8d call 403498 call 401b52 call 401b1e call 426235 call 401b1e GetModuleFileNameA call 401b1e call 425e92 call 401a0c call 403491 * 3 call 40197c call 403491 * 3 call 40197c call 403491 * 5 call 40197c call 403491 * 4 call 40197c call 403491 * 4 call 40197c call 403491 * 3 call 40197c call 403491 * 5 call 40197c call 403491 * 5 call 40197c call 403491 * 4 call 40197c call 403491 * 3 call 40197c 129 424dd7-425712 call 403491 * 35 call 40197c call 401b1e call 401a67 * 2 call 4034e3 call 401ae8 call 403491 * 14 call 40197c call 401b41 * 2 call 401adf call 401a67 call 401adf call 4263e5 call 40ff7e call 403491 * 21 call 40197c call 403491 * 9 call 40197c call 403491 call 40197c call 425fff call 403491 * 15 call 40197c call 403491 * 19 call 40197c call 401b1e call 401a67 call 40356f call 401ae8 call 401b41 * 2 call 401adf call 401a67 call 401adf call 4263e5 call 40ff7e call 403491 * 14 call 40197c call 403491 * 12 call 40197c call 401b41 * 2 call 401adf * 2 call 4263e5 0->129 130 424d87 0->130 499 425718-425743 call 40b5a0 call 4260e7 129->499 500 425def-425e66 call 4019f8 * 2 call 401ae8 call 4019f8 call 401ae8 call 401a11 call 401ae8 * 4 129->500 132 424dc2-424dc7 130->132 133 424d91-424d96 130->133 134 424da6-424dab 130->134 135 424db4-424db9 130->135 136 424dbb-424dc0 130->136 137 424d98-424d9d 130->137 138 424dc9 130->138 139 424d8e-424d8f 130->139 140 424d9f-424da4 130->140 141 424dad-424db2 130->141 143 424dce-424dd2 call 401adf 132->143 133->143 134->143 135->143 136->143 137->143 138->143 139->143 140->143 141->143 143->129 510 425745-425757 call 401b1e call 42615f 499->510 511 42575f-4259ec call 403491 * 16 call 40197c call 403491 * 26 call 40197c call 401b41 * 2 call 401adf * 2 call 4263e5 499->511 523 42575c 510->523 629 4259f2-425b43 call 40b5a0 GetTempPathA call 403491 * 23 call 40197c 511->629 630 425b9d-425d86 call 403491 * 15 call 40197c call 403491 * 15 call 40197c call 401b41 * 2 call 401adf * 2 call 4263e5 511->630 523->511 732 425b45-425b4a 629->732 766 425dda-425dea call 4019f8 * 2 630->766 767 425d88-425db1 call 40b5a0 call 4260e7 630->767 732->732 734 425b4c-425b55 732->734 736 425b56-425b5c 734->736 736->736 738 425b5e-425b81 call 4261d1 736->738 738->630 744 425b83-425b95 call 401b1e call 42615f 738->744 752 425b9a 744->752 752->630 766->500 775 425db3-425dc5 call 401b1e call 42615f 767->775 776 425dcd-425dd4 call 40ff7e 767->776 782 425dca 775->782 780 425dd9 776->780 780->766 782->776
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                  • Part of subcall function 00426235: __EH_prolog.LIBCMT ref: 0042623A
                                                                                                                                                                                                                                • GetModuleFileNameA.KERNEL32(00000000,?,00000104,0043AEF4), ref: 00424AD5
                                                                                                                                                                                                                                  • Part of subcall function 00425E92: __EH_prolog.LIBCMT ref: 00425E97
                                                                                                                                                                                                                                  • Part of subcall function 00425E92: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00425F79
                                                                                                                                                                                                                                • GetTempPathA.KERNEL32(00000104,?,?,?,?,185.172.128.90,/cpa/ping.php?substr=%s&s=ab&sub=%s,?), ref: 00425A16
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3315694164.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: H_prolog$FileIos_base_dtorModuleNamePathTempstd::ios_base::_
                                                                                                                                                                                                                                • String ID: /1/serversystemNCQ_x64.exe$/BroomSetup.exe$/cpa/ping.php?substr=%s&s=ab&sub=%s$/ping.php?substr=%s$/syncUpd.exe$185.172.128.228$185.172.128.228$185.172.128.59$185.172.128.90$Installed$P$P$P$P$P$SOFTWARE\BroomCleaner$eight$five$four$nine$note.padd.cn.com$one$serversystemNCQ_x64.exe$seven$six$sub=([\w-]{1,255})$ten$three$two
                                                                                                                                                                                                                                • API String ID: 929474060-2157447433
                                                                                                                                                                                                                                • Opcode ID: 17bf2574a8bbe870a88041cf645c46bd632d7aae589e26ee0f3dcd36f1da404d
                                                                                                                                                                                                                                • Instruction ID: 6b72c2e5a1472f1d435c072ec535a3c6db0bd386d75e29162859cb6ea77325b9
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 17bf2574a8bbe870a88041cf645c46bd632d7aae589e26ee0f3dcd36f1da404d
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 65A2341058A2E19AC712FB75581758A3FE51B6230EF54787FE5D12F2A3C96C821C839F
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 004263E5 Relevance: 50.1, APIs: 16, Strings: 12, Instructions: 1148networkCOMMON
                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                control_flow_graph 783 4263e5-426f43 call 427488 call 403491 * 15 call 40197c call 403491 * 14 call 40197c call 403491 * 17 call 40197c call 403491 * 7 call 40197c call 403491 * 2 call 40197c call 403491 * 2 call 40197c call 403491 * 5 call 40197c call 403491 * 4 call 40197c call 401b1e call 401a67 call 401aa1 call 403491 * 9 call 40197c call 401aa1 * 2 call 403491 * 6 call 40197c call 401aa1 call 401a67 call 401aa1 * 2 call 403491 * 12 call 40197c call 401aa1 call 403491 * 61 call 40197c call 401aa1 call 403491 * 55 call 40197c call 401aa1 * 2 1256 426f49-426f4c 783->1256 1257 42705d-42707e call 401aa1 WSAStartup 783->1257 1256->1257 1258 426f52-427058 call 403491 * 16 call 40197c call 401aa1 call 403ae1 call 401ac2 call 401ae8 call 401aa1 1256->1258 1263 427452 1257->1263 1264 427084-42709a socket 1257->1264 1258->1257 1268 427455-42745e call 40ff7e 1263->1268 1265 4270b1-4270c4 call 401a67 gethostbyname 1264->1265 1266 42709c-4270ac call 40ff7e WSACleanup 1264->1266 1265->1268 1278 4270ca-427106 call 40aaa0 htons connect 1265->1278 1277 42746c-427484 call 401ae8 1266->1277 1280 42745f-427466 WSACleanup closesocket 1268->1280 1278->1268 1287 42710c-427128 call 403da5 call 401a67 send 1278->1287 1280->1277 1287->1268 1297 42712e-427132 1287->1297 1299 427134-427144 send 1297->1299 1300 42714a-42716e call 40b5a0 1297->1300 1299->1268 1299->1300 1307 427170-427184 recv 1300->1307 1307->1268 1309 42718a-42718f 1307->1309 1311 427297-4272a0 1309->1311 1312 427195-42719d 1309->1312 1311->1268 1313 4272a6-4272a9 1311->1313 1312->1311 1315 4271a3-4271ab 1312->1315 1313->1307 1315->1311 1317 4271b1-4271bc 1315->1317 1319 4271e1-4271ea 1317->1319 1320 4271be-4271d3 call 412faf 1317->1320 1323 4271ed-4271f2 1319->1323 1320->1268 1328 4271d9-4271dc 1320->1328 1323->1323 1326 4271f4-4271f6 1323->1326 1329 4272ae-4272b3 1326->1329 1330 4271fc-427211 call 403a0c 1326->1330 1335 42728e-427294 1328->1335 1332 4272c0-4272c4 1329->1332 1333 4272b5-4272b9 1329->1333 1330->1335 1343 427213-427233 call 412faf 1330->1343 1337 4272ca-4272e6 call 425ff7 1332->1337 1339 4273f6-4273f8 1332->1339 1333->1337 1338 4272bb 1333->1338 1335->1311 1354 4272e9-4272eb 1337->1354 1338->1268 1341 4273fa-427413 call 425ff7 1339->1341 1342 42743c-427449 call 425ff7 1339->1342 1357 427416-427429 recv 1341->1357 1360 42744b-427450 1342->1360 1358 427257-42726f call 412faf 1343->1358 1359 427235-42724f call 411957 1343->1359 1361 4272ee-427302 recv 1354->1361 1357->1268 1363 42742b-427438 1357->1363 1358->1335 1375 427271-42728b call 412faf 1358->1375 1359->1268 1374 427255 1359->1374 1360->1280 1361->1268 1366 427308-42730d 1361->1366 1363->1357 1368 42743a 1363->1368 1371 427313-427318 1366->1371 1372 4273dc-4273e3 1366->1372 1368->1360 1371->1372 1376 42731e-427323 1371->1376 1372->1361 1377 4273e9 1372->1377 1374->1335 1375->1335 1376->1372 1380 427329-42734a call 411957 1376->1380 1377->1268 1380->1268 1386 427350-427352 1380->1386 1386->1268 1388 427358 1386->1388 1390 4273eb-4273f4 1388->1390 1391 42735e-42736a 1388->1391 1390->1360 1393 427386-427388 1391->1393 1394 42736c-427383 call 425fed 1391->1394 1397 42738b-4273a1 recv 1393->1397 1394->1393 1397->1268 1400 4273a7-4273b4 1397->1400 1400->1397 1401 4273b6-4273c8 recv 1400->1401 1401->1268 1402 4273ce-4273d7 1401->1402 1402->1354
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • __EH_prolog.LIBCMT ref: 004263EA
                                                                                                                                                                                                                                • WSAStartup.WS2_32(00000202,?), ref: 00427076
                                                                                                                                                                                                                                • socket.WS2_32(00000002,00000001,00000006), ref: 0042708C
                                                                                                                                                                                                                                • WSACleanup.WS2_32 ref: 004270A6
                                                                                                                                                                                                                                • gethostbyname.WS2_32(00000000), ref: 004270BA
                                                                                                                                                                                                                                • htons.WS2_32(?), ref: 004270EC
                                                                                                                                                                                                                                • connect.WS2_32(00000000,?,00000010), ref: 004270FD
                                                                                                                                                                                                                                • send.WS2_32(00000000,00000000,00000000,00000000), ref: 00427120
                                                                                                                                                                                                                                • send.WS2_32(00000000,00000000,?,00000000), ref: 0042713C
                                                                                                                                                                                                                                • recv.WS2_32(00000000,00000000,00000001,00000000), ref: 0042717C
                                                                                                                                                                                                                                • recv.WS2_32(?,00000000,00000001,00000000), ref: 004272FA
                                                                                                                                                                                                                                • recv.WS2_32(?,?,00000000,00000000), ref: 00427399
                                                                                                                                                                                                                                • recv.WS2_32(?,0000000A,00000002,00000000), ref: 004273C0
                                                                                                                                                                                                                                • recv.WS2_32(00000000,?,?,00000000), ref: 00427421
                                                                                                                                                                                                                                • WSACleanup.WS2_32 ref: 0042745F
                                                                                                                                                                                                                                • closesocket.WS2_32(?), ref: 00427466
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3315694164.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: recv$Cleanupsend$H_prologStartupclosesocketconnectgethostbynamehtonssocket
                                                                                                                                                                                                                                • String ID: HTTP/1.1$(KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36$185.172.128.90$Content-Length$GET $HTTP/1.1 200 OK$Host: $Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 $POST $Transfer-Encoding$User-Agent: $chunked
                                                                                                                                                                                                                                • API String ID: 791229064-1222584043
                                                                                                                                                                                                                                • Opcode ID: 18be0af429a46002ce92d847665834a75d1367100ef1fb5941ab536c06ff8f93
                                                                                                                                                                                                                                • Instruction ID: c02e3a93c91f732d40d098133b2ecf2832f7337e1a98b712c75d7e50267902da
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 18be0af429a46002ce92d847665834a75d1367100ef1fb5941ab536c06ff8f93
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F492965094A2A19ACB02FFB5685659E3FF4592130D714647FE5D06F3A3CA2C821C87AF
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 004139E7 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                control_flow_graph 1725 4139e7-4139f3 call 4177fa 1728 413a15-413a21 call 413a6c ExitProcess 1725->1728 1729 4139f5-413a03 GetPEB 1725->1729 1729->1728 1730 413a05-413a0f GetCurrentProcess TerminateProcess 1729->1730 1730->1728
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • GetCurrentProcess.KERNEL32(00000003,?,004139BD,00000003,00437D60,0000000C,00413B14,00000003,00000002,00000000,?,00412B6B,00000003), ref: 00413A08
                                                                                                                                                                                                                                • TerminateProcess.KERNEL32(00000000,?,004139BD,00000003,00437D60,0000000C,00413B14,00000003,00000002,00000000,?,00412B6B,00000003), ref: 00413A0F
                                                                                                                                                                                                                                • ExitProcess.KERNEL32 ref: 00413A21
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3315694164.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: Process$CurrentExitTerminate
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1703294689-0
                                                                                                                                                                                                                                • Opcode ID: 894b5bdb18b640f385292c5622eb6f2d8d3b57cbb89090b821d2e36a11f43174
                                                                                                                                                                                                                                • Instruction ID: bfadc2acc187f9cfd988f020b0af5571caefb971efb7e130f1d0998baf6699a9
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 894b5bdb18b640f385292c5622eb6f2d8d3b57cbb89090b821d2e36a11f43174
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 53E04F31101504ABCF116F14DD0898A3B29EF00786F418029F94596132DF39DE86CB48
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 02F1F78E Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                control_flow_graph 1850 2f1f78e-2f1f7a7 1851 2f1f7a9-2f1f7ab 1850->1851 1852 2f1f7b2-2f1f7be CreateToolhelp32Snapshot 1851->1852 1853 2f1f7ad 1851->1853 1854 2f1f7c0-2f1f7c6 1852->1854 1855 2f1f7ce-2f1f7db Module32First 1852->1855 1853->1852 1854->1855 1860 2f1f7c8-2f1f7cc 1854->1860 1856 2f1f7e4-2f1f7ec 1855->1856 1857 2f1f7dd-2f1f7de call 2f1f44d 1855->1857 1861 2f1f7e3 1857->1861 1860->1851 1860->1855 1861->1856
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 02F1F7B6
                                                                                                                                                                                                                                • Module32First.KERNEL32(00000000,00000224), ref: 02F1F7D6
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3336518839.0000000002F1E000.00000040.00000020.00020000.00000000.sdmp, Offset: 02F1E000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_2f1e000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: CreateFirstModule32SnapshotToolhelp32
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 3833638111-0
                                                                                                                                                                                                                                • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                                                                                                                                                                • Instruction ID: fa3fbd898c1a5e69885896c9ffa14e53562e335812cfaf8f1a17ee81a9ab4d42
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 45F09636600715ABD7203BF5AC8DB6E76E8AF49664F900629F743918C0DB70E8458A61
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 0041A242 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                control_flow_graph 1403 41a242-41a272 call 419fa5 1406 41a274-41a27f call 41236e 1403->1406 1407 41a28d-41a299 call 41e6a7 1403->1407 1412 41a281-41a288 call 412381 1406->1412 1413 41a2b2-41a2fb call 419f10 1407->1413 1414 41a29b-41a2b0 call 41236e call 412381 1407->1414 1423 41a564-41a56a 1412->1423 1421 41a368-41a371 GetFileType 1413->1421 1422 41a2fd-41a306 1413->1422 1414->1412 1428 41a373-41a3a4 GetLastError call 41234b CloseHandle 1421->1428 1429 41a3ba-41a3bd 1421->1429 1426 41a308-41a30c 1422->1426 1427 41a33d-41a363 GetLastError call 41234b 1422->1427 1426->1427 1432 41a30e-41a33b call 419f10 1426->1432 1427->1412 1428->1412 1440 41a3aa-41a3b5 call 412381 1428->1440 1430 41a3c6-41a3cc 1429->1430 1431 41a3bf-41a3c4 1429->1431 1435 41a3d0-41a41e call 41e5f0 1430->1435 1436 41a3ce 1430->1436 1431->1435 1432->1421 1432->1427 1446 41a420-41a42c call 41a121 1435->1446 1447 41a42e-41a452 call 419cc3 1435->1447 1436->1435 1440->1412 1446->1447 1454 41a456-41a460 call 4163fd 1446->1454 1452 41a465-41a4a8 1447->1452 1453 41a454 1447->1453 1456 41a4c9-41a4d7 1452->1456 1457 41a4aa-41a4ae 1452->1457 1453->1454 1454->1423 1460 41a562 1456->1460 1461 41a4dd-41a4e1 1456->1461 1457->1456 1459 41a4b0-41a4c4 1457->1459 1459->1456 1460->1423 1461->1460 1462 41a4e3-41a516 CloseHandle call 419f10 1461->1462 1465 41a518-41a544 GetLastError call 41234b call 41e7b9 1462->1465 1466 41a54a-41a55e 1462->1466 1465->1466 1466->1460
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                  • Part of subcall function 00419F10: CreateFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 00419F2D
                                                                                                                                                                                                                                • GetLastError.KERNEL32 ref: 0041A356
                                                                                                                                                                                                                                • __dosmaperr.LIBCMT ref: 0041A35D
                                                                                                                                                                                                                                • GetFileType.KERNEL32(00000000), ref: 0041A369
                                                                                                                                                                                                                                • GetLastError.KERNEL32 ref: 0041A373
                                                                                                                                                                                                                                • __dosmaperr.LIBCMT ref: 0041A37C
                                                                                                                                                                                                                                • CloseHandle.KERNEL32(00000000), ref: 0041A39C
                                                                                                                                                                                                                                • CloseHandle.KERNEL32(?), ref: 0041A4E6
                                                                                                                                                                                                                                • GetLastError.KERNEL32 ref: 0041A518
                                                                                                                                                                                                                                • __dosmaperr.LIBCMT ref: 0041A51F
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3315694164.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                                                                                                                                                                                                • String ID: H
                                                                                                                                                                                                                                • API String ID: 4237864984-2852464175
                                                                                                                                                                                                                                • Opcode ID: 3d610beb6fdae7f59e9ad9f33e2ca6ec6ebc0d6293e5c15d19bd92f4cf96793f
                                                                                                                                                                                                                                • Instruction ID: 5ed0b96f73270941775a85281cb99d597b6a4d56659bde6f01148d564b9c2f2b
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3d610beb6fdae7f59e9ad9f33e2ca6ec6ebc0d6293e5c15d19bd92f4cf96793f
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: DDA15732A041089FDF189F78D8517EE3BA1AF06324F18015EEC51EB391D7398D66C75A
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 004192AD Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                control_flow_graph 1471 4192ad-4192bd 1472 4192d7-4192d9 1471->1472 1473 4192bf-4192d2 call 41236e call 412381 1471->1473 1475 419641-41964e call 41236e call 412381 1472->1475 1476 4192df-4192e5 1472->1476 1490 419659 1473->1490 1495 419654 call 410905 1475->1495 1476->1475 1479 4192eb-419316 1476->1479 1479->1475 1480 41931c-419325 1479->1480 1483 419327-41933a call 41236e call 412381 1480->1483 1484 41933f-419341 1480->1484 1483->1495 1488 419347-41934b 1484->1488 1489 41963d-41963f 1484->1489 1488->1489 1494 419351-419355 1488->1494 1492 41965c-419661 1489->1492 1490->1492 1494->1483 1498 419357-41936e 1494->1498 1495->1490 1500 419370-419373 1498->1500 1501 41938b-419394 1498->1501 1502 419375-41937b 1500->1502 1503 41937d-419386 1500->1503 1504 4193b2-4193bc 1501->1504 1505 419396-4193ad call 41236e call 412381 call 410905 1501->1505 1502->1503 1502->1505 1508 419427-419441 1503->1508 1506 4193c3-4193e1 call 417a45 call 41629a * 2 1504->1506 1507 4193be-4193c0 1504->1507 1534 419574 1505->1534 1544 4193e3-4193f9 call 412381 call 41236e 1506->1544 1545 4193fe-419424 call 419800 1506->1545 1507->1506 1511 419515-41951e call 4210f9 1508->1511 1512 419447-419457 1508->1512 1523 419591 1511->1523 1524 419520-419532 1511->1524 1512->1511 1516 41945d-41945f 1512->1516 1516->1511 1520 419465-41948b 1516->1520 1520->1511 1525 419491-4194a4 1520->1525 1527 419595-4195ad ReadFile 1523->1527 1524->1523 1529 419534-419543 GetConsoleMode 1524->1529 1525->1511 1530 4194a6-4194a8 1525->1530 1532 419609-419614 GetLastError 1527->1532 1533 4195af-4195b5 1527->1533 1529->1523 1535 419545-419549 1529->1535 1530->1511 1536 4194aa-4194d5 1530->1536 1538 419616-419628 call 412381 call 41236e 1532->1538 1539 41962d-419630 1532->1539 1533->1532 1540 4195b7 1533->1540 1542 419577-419581 call 41629a 1534->1542 1535->1527 1541 41954b-419565 ReadConsoleW 1535->1541 1536->1511 1543 4194d7-4194ea 1536->1543 1538->1534 1551 419636-419638 1539->1551 1552 41956d-419573 call 41234b 1539->1552 1547 4195ba-4195cc 1540->1547 1549 419567 GetLastError 1541->1549 1550 419586-41958f 1541->1550 1542->1492 1543->1511 1554 4194ec-4194ee 1543->1554 1544->1534 1545->1508 1547->1542 1558 4195ce-4195d2 1547->1558 1549->1552 1550->1547 1551->1542 1552->1534 1554->1511 1562 4194f0-419510 1554->1562 1565 4195d4-4195e4 call 418fc9 1558->1565 1566 4195eb-4195f6 1558->1566 1562->1511 1577 4195e7-4195e9 1565->1577 1571 419602-419607 call 418e09 1566->1571 1572 4195f8 call 419119 1566->1572 1578 4195fd-419600 1571->1578 1572->1578 1577->1542 1578->1577
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3315694164.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: a9117c4caaae958124344d97274fd67e90a93c7c171772c9c3d1069b47ac8b3f
                                                                                                                                                                                                                                • Instruction ID: ad7a334a3c542fe0f14731be173b353b81adde24e2ae5a0363ed5934dc533936
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a9117c4caaae958124344d97274fd67e90a93c7c171772c9c3d1069b47ac8b3f
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 72C11A71D04249AFDB11CFA9C850BEE7BB1BF09314F08419AE854B7392C7789D81CB69
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 049A003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515memoryCOMMON
                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                control_flow_graph 1579 49a003c-49a0047 1580 49a0049 1579->1580 1581 49a004c-49a0263 call 49a0a3f call 49a0e0f call 49a0d90 VirtualAlloc 1579->1581 1580->1581 1596 49a028b-49a0292 1581->1596 1597 49a0265-49a0289 call 49a0a69 1581->1597 1598 49a02a1-49a02b0 1596->1598 1601 49a02ce-49a03c2 VirtualProtect call 49a0cce call 49a0ce7 1597->1601 1598->1601 1602 49a02b2-49a02cc 1598->1602 1608 49a03d1-49a03e0 1601->1608 1602->1598 1609 49a0439-49a04b8 VirtualFree 1608->1609 1610 49a03e2-49a0437 call 49a0ce7 1608->1610 1611 49a04be-49a04cd 1609->1611 1612 49a05f4-49a05fe 1609->1612 1610->1608 1614 49a04d3-49a04dd 1611->1614 1615 49a077f-49a0789 1612->1615 1616 49a0604-49a060d 1612->1616 1614->1612 1620 49a04e3-49a0505 LoadLibraryA 1614->1620 1618 49a078b-49a07a3 1615->1618 1619 49a07a6-49a07b0 1615->1619 1616->1615 1621 49a0613-49a0637 1616->1621 1618->1619 1623 49a086e-49a08be LoadLibraryA 1619->1623 1624 49a07b6-49a07cb 1619->1624 1625 49a0517-49a0520 1620->1625 1626 49a0507-49a0515 1620->1626 1627 49a063e-49a0648 1621->1627 1631 49a08c7-49a08f9 1623->1631 1628 49a07d2-49a07d5 1624->1628 1629 49a0526-49a0547 1625->1629 1626->1629 1627->1615 1630 49a064e-49a065a 1627->1630 1632 49a07d7-49a07e0 1628->1632 1633 49a0824-49a0833 1628->1633 1634 49a054d-49a0550 1629->1634 1630->1615 1635 49a0660-49a066a 1630->1635 1636 49a08fb-49a0901 1631->1636 1637 49a0902-49a091d 1631->1637 1638 49a07e2 1632->1638 1639 49a07e4-49a0822 1632->1639 1643 49a0839-49a083c 1633->1643 1640 49a05e0-49a05ef 1634->1640 1641 49a0556-49a056b 1634->1641 1642 49a067a-49a0689 1635->1642 1636->1637 1638->1633 1639->1628 1640->1614 1644 49a056f-49a057a 1641->1644 1645 49a056d 1641->1645 1646 49a068f-49a06b2 1642->1646 1647 49a0750-49a077a 1642->1647 1643->1623 1648 49a083e-49a0847 1643->1648 1650 49a059b-49a05bb 1644->1650 1651 49a057c-49a0599 1644->1651 1645->1640 1652 49a06ef-49a06fc 1646->1652 1653 49a06b4-49a06ed 1646->1653 1647->1627 1654 49a084b-49a086c 1648->1654 1655 49a0849 1648->1655 1662 49a05bd-49a05db 1650->1662 1651->1662 1656 49a074b 1652->1656 1657 49a06fe-49a0748 1652->1657 1653->1652 1654->1643 1655->1623 1656->1642 1657->1656 1662->1634
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 049A024D
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3337248481.00000000049A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_49a0000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: AllocVirtual
                                                                                                                                                                                                                                • String ID: cess$kernel32.dll
                                                                                                                                                                                                                                • API String ID: 4275171209-1230238691
                                                                                                                                                                                                                                • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                                                                                                                                                                • Instruction ID: 9674df457cb51def17ee2d820b8954ee18748b3b4b03a36218e785dfbf588e5c
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A7527974A01229DFDB64CF58C984BACBBB1BF09304F1480E9E94DAB351DB30AA94DF54
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 00425FFF Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 85registryCOMMON
                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                control_flow_graph 1663 425fff-426036 call 427488 RegCreateKeyExA 1666 4260c7-4260cb 1663->1666 1667 42603c-42604f 1663->1667 1668 4260d6-4260e6 1666->1668 1669 4260cd-4260d0 RegCloseKey 1666->1669 1670 426052-426057 1667->1670 1669->1668 1670->1670 1671 426059-426078 call 402c71 1670->1671 1674 42607b-426080 1671->1674 1674->1674 1675 426082-4260ba call 402c71 RegSetValueExA call 402bef 1674->1675 1679 4260bf-4260c2 call 402bef 1675->1679 1679->1666
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • __EH_prolog.LIBCMT ref: 00426004
                                                                                                                                                                                                                                • RegCreateKeyExA.KERNEL32(80000001,SOFTWARE\BroomCleaner,00000000,00000000,00000000,000F003F,00000000,?,00000000,Installed,0043AE60,SOFTWARE\BroomCleaner), ref: 0042602C
                                                                                                                                                                                                                                • RegSetValueExA.KERNEL32(?,?,00000000,00000001,?,?,0043AE60,0043AE61,Installed,Installed), ref: 004260AF
                                                                                                                                                                                                                                • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,185.172.128.90,/cpa/ping.php?substr=%s&s=ab&sub=%s,?), ref: 004260D0
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3315694164.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: CloseCreateH_prologValue
                                                                                                                                                                                                                                • String ID: Installed$SOFTWARE\BroomCleaner
                                                                                                                                                                                                                                • API String ID: 1996196666-529226407
                                                                                                                                                                                                                                • Opcode ID: 0c1498eeef2a83cafb83bf210d5a9b90b4b671d1f7746b808874f939b35d2cd9
                                                                                                                                                                                                                                • Instruction ID: 88d0ffafad339e53c26632b4546833d70425ff8bf3c95ccbaa1921ace6490f97
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 0c1498eeef2a83cafb83bf210d5a9b90b4b671d1f7746b808874f939b35d2cd9
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E431A771A00228AFDB148FA8DC94AFEBB78FB08358F44012EE802B3281C7B51D05CB64
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 004260E7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 51fileCOMMON
                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                control_flow_graph 1681 4260e7-4260fb 1682 426107 1681->1682 1683 4260fd-426105 call 425f93 1681->1683 1685 426109-42610b 1682->1685 1683->1685 1687 426158-42615e 1685->1687 1688 42610d-42613b call 410c7b call 425fa5 CreateFileA 1685->1688 1688->1687 1693 42613d-426152 WriteFile CloseHandle 1688->1693 1693->1687
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000004,00000080,00000000), ref: 00426131
                                                                                                                                                                                                                                • WriteFile.KERNEL32(00000000,?,00000400,AWB,00000000), ref: 00426149
                                                                                                                                                                                                                                • CloseHandle.KERNEL32(00000000), ref: 00426152
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3315694164.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: File$CloseCreateHandleWrite
                                                                                                                                                                                                                                • String ID: /syncUpd.exe$AWB
                                                                                                                                                                                                                                • API String ID: 1065093856-3279009668
                                                                                                                                                                                                                                • Opcode ID: a912db88f114df2c6673003673c4522d4d60e875e8989093ee3ec27779da3b73
                                                                                                                                                                                                                                • Instruction ID: ea454d58db3f570a703faf9f62bcad87da157c20184f63e0e300e902c8c0e078
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a912db88f114df2c6673003673c4522d4d60e875e8989093ee3ec27779da3b73
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D5F0F9B2301631BBD72416A6AC49E6BBB5DEF447A4F41003AF705D3292DA75FC1582AC
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 004261D1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 44fileCOMMON
                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                control_flow_graph 1694 4261d1-4261e4 1695 4261f0 1694->1695 1696 4261e6-4261ee call 425f93 1694->1696 1698 4261f2-4261f4 1695->1698 1696->1698 1700 4261f6-426211 CreateFileA 1698->1700 1701 42622f-426234 1698->1701 1702 426213-426228 WriteFile CloseHandle 1700->1702 1703 42622e 1700->1703 1702->1703 1703->1701
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000004,00000080,00000000,serversystemNCQ_x64.exe), ref: 00426207
                                                                                                                                                                                                                                • WriteFile.KERNEL32(00000000,?,00000400,00425B7F,00000000), ref: 0042621F
                                                                                                                                                                                                                                • CloseHandle.KERNEL32(00000000), ref: 00426228
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3315694164.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: File$CloseCreateHandleWrite
                                                                                                                                                                                                                                • String ID: serversystemNCQ_x64.exe
                                                                                                                                                                                                                                • API String ID: 1065093856-4105491473
                                                                                                                                                                                                                                • Opcode ID: 81eeccf449e78c501f1cd1432d73a9a3a23dd028abcdb10082ca37ec707300bb
                                                                                                                                                                                                                                • Instruction ID: e17ace126460657e3681985d0a65b8929ef4349a74fc66e1559dc9d9555c5b24
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 81eeccf449e78c501f1cd1432d73a9a3a23dd028abcdb10082ca37ec707300bb
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A7F0F6B2701231BBD3305AA6AC48E6BBA5DFF44664F41003ABB01D3150CBB5EC11D2F8
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 0042615F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40synchronizationCOMMON
                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                control_flow_graph 1704 42615f-42616e 1705 426170-426176 1704->1705 1705->1705 1706 426178-4261ab ShellExecuteExA 1705->1706 1707 4261c4-4261d0 call 402bef 1706->1707 1708 4261ad-4261be WaitForSingleObject CloseHandle 1706->1708 1708->1707
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • ShellExecuteExA.SHELL32(?,/BroomSetup.exe), ref: 004261A1
                                                                                                                                                                                                                                • WaitForSingleObject.KERNEL32(?,00008000), ref: 004261B5
                                                                                                                                                                                                                                • CloseHandle.KERNEL32(?), ref: 004261BE
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3315694164.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: CloseExecuteHandleObjectShellSingleWait
                                                                                                                                                                                                                                • String ID: /BroomSetup.exe
                                                                                                                                                                                                                                • API String ID: 3837156514-1897133622
                                                                                                                                                                                                                                • Opcode ID: faa3531e92f7a28ce8b89843f4620ca73c62c6e16bba268bd3709f44c3ecf90f
                                                                                                                                                                                                                                • Instruction ID: 1e311514b9377177f2af020c61367fd92aa00ac37d84a7ed16a1071a1e85f590
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: faa3531e92f7a28ce8b89843f4620ca73c62c6e16bba268bd3709f44c3ecf90f
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F9018F71E00218EBDF15DF69EC455DDBBB8FF08310F41812AF801A6260EB709A45CF94
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 00419767 Relevance: 4.6, APIs: 3, Instructions: 50COMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                control_flow_graph 1711 419767-41977f call 41e84a 1714 419781-419786 call 412381 1711->1714 1715 419792-4197a8 SetFilePointerEx 1711->1715 1722 41978c-419790 1714->1722 1717 4197b9-4197c3 1715->1717 1718 4197aa-4197b7 GetLastError call 41234b 1715->1718 1721 4197c5-4197da 1717->1721 1717->1722 1718->1722 1723 4197df-4197e4 1721->1723 1722->1723
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • SetFilePointerEx.KERNEL32(00000000,?,00000002,?,00000000,?,?,?,?,?,00419816,?,?,00000002,00000000), ref: 004197A0
                                                                                                                                                                                                                                • GetLastError.KERNEL32(?,00419816,?,?,00000002,00000000,?,00416146,?,00000000,00000000,00000002,?,?,?,?), ref: 004197AA
                                                                                                                                                                                                                                • __dosmaperr.LIBCMT ref: 004197B1
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3315694164.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ErrorFileLastPointer__dosmaperr
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 2336955059-0
                                                                                                                                                                                                                                • Opcode ID: df2fb0bbc630fe00730a1d3e395213de1702832fc36ed6d5d61208973ec6bf62
                                                                                                                                                                                                                                • Instruction ID: 474d12f0d1f251b5c01d6f3fc33b49c877c5e51dc48bc47fa5668562e13d0985
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: df2fb0bbc630fe00730a1d3e395213de1702832fc36ed6d5d61208973ec6bf62
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1E012D36620515ABCB159FA9DC058EE7B19DF85330B28024EFC619B2D0EA749C918798
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 00419CC3 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 227fileCOMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                control_flow_graph 1733 419cc3-419ced 1734 419cf6-419d00 1733->1734 1735 419cef-419cf1 1733->1735 1737 419d02-419d11 call 413b67 1734->1737 1738 419d27-419d33 1734->1738 1736 419dc3-419dc8 1735->1736 1748 419f05-419f34 call 410932 CreateFileW 1737->1748 1749 419d17-419d1f 1737->1749 1740 419d35-419d3a 1738->1740 1741 419d7a 1738->1741 1744 419d68-419d73 1740->1744 1745 419d3c-419d41 1740->1745 1742 419d7c-419d82 1741->1742 1746 419dc0 1742->1746 1747 419d84-419d88 1742->1747 1744->1742 1751 419d75-419d78 1744->1751 1745->1744 1750 419d43-419d48 1745->1750 1757 419dc2 1746->1757 1747->1746 1752 419d8a-419d9d 1747->1752 1753 419d21 1749->1753 1754 419d64-419d66 1749->1754 1750->1751 1755 419d4a-419d4f 1750->1755 1751->1742 1758 419daa-419daf 1752->1758 1759 419d9f-419da4 1752->1759 1753->1738 1754->1738 1755->1751 1760 419d51-419d56 1755->1760 1757->1736 1758->1746 1764 419db1-419db4 1758->1764 1762 419da6-419da8 1759->1762 1763 419e08-419e20 call 4192ad 1759->1763 1765 419d58-419d5d 1760->1765 1766 419d5f-419d62 1760->1766 1762->1746 1762->1758 1776 419e22-419e29 1763->1776 1777 419e2b-419e2e 1763->1777 1769 419db6-419db9 1764->1769 1770 419dfd-419dff 1764->1770 1765->1742 1765->1766 1766->1742 1773 419dc9-419dda call 419800 1769->1773 1774 419dbb-419dbe 1769->1774 1771 419e00-419e02 1770->1771 1771->1763 1775 419ea3-419ea5 1771->1775 1781 419eab-419eb6 1773->1781 1788 419de0-419df3 call 419800 1773->1788 1774->1746 1774->1770 1775->1746 1775->1781 1776->1777 1779 419e60-419e67 call 412381 1777->1779 1780 419e30-419e36 1777->1780 1779->1757 1784 419e49-419e53 1780->1784 1785 419e38-419e3b 1780->1785 1786 419ec9-419ed2 1781->1786 1787 419eb8-419ebb 1781->1787 1795 419e55-419e5a call 412381 1784->1795 1796 419e6c-419e71 1784->1796 1793 419e3d-419e42 1785->1793 1794 419e8e-419ea1 call 419800 1785->1794 1789 419ed3-419ed5 1786->1789 1787->1789 1790 419ebd-419ec7 1787->1790 1788->1779 1804 419df5-419dfb 1788->1804 1789->1746 1798 419edb-419ef4 call 415fa3 1789->1798 1790->1798 1793->1784 1802 419e44-419e47 1793->1802 1794->1775 1794->1779 1795->1779 1796->1794 1800 419e73-419e87 call 419800 1796->1800 1798->1779 1810 419efa-419efe 1798->1810 1800->1779 1811 419e89-419e8c 1800->1811 1802->1775 1804->1771 1810->1798 1812 419f00 1810->1812 1811->1775 1812->1746
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • CreateFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 00419F2D
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3315694164.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: CreateFile
                                                                                                                                                                                                                                • String ID: @
                                                                                                                                                                                                                                • API String ID: 823142352-2766056989
                                                                                                                                                                                                                                • Opcode ID: 5f6990ddce253bec854566fd7a1e26849d5a3d230f9db06db37147ff82feb7e3
                                                                                                                                                                                                                                • Instruction ID: 1485254fa7f833b9d87c21434d611f3dfdfd80a983df9394cee0aa11d74a67a7
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5f6990ddce253bec854566fd7a1e26849d5a3d230f9db06db37147ff82feb7e3
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6C61F671900209AAEF249E28ECA1BFF3659DB01324F28066BF914D63E1D37DCDD1C299
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 00401BB2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65COMMON
                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                control_flow_graph 1813 401bb2-401c21 call 427488 call 40307c call 402fe5 call 402f6b 1822 401c51-401c61 1813->1822 1823 401c23-401c47 1813->1823 1823->1822 1824 401c49-401c4c call 40187f 1823->1824 1824->1822
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • __EH_prolog.LIBCMT ref: 00401BB7
                                                                                                                                                                                                                                  • Part of subcall function 0040307C: __EH_prolog.LIBCMT ref: 00403081
                                                                                                                                                                                                                                  • Part of subcall function 00402FE5: __EH_prolog.LIBCMT ref: 00402FEA
                                                                                                                                                                                                                                  • Part of subcall function 00402FE5: std::locale::_Init.LIBCPMT ref: 0040300E
                                                                                                                                                                                                                                  • Part of subcall function 00402F6B: __EH_prolog.LIBCMT ref: 00402F70
                                                                                                                                                                                                                                  • Part of subcall function 0040187F: __CxxThrowException@8.LIBVCRUNTIME ref: 004018C9
                                                                                                                                                                                                                                  • Part of subcall function 0040187F: std::system_error::system_error.LIBCPMT ref: 004018D8
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3315694164.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: H_prolog$Exception@8InitThrowstd::locale::_std::system_error::system_error
                                                                                                                                                                                                                                • String ID: v*@
                                                                                                                                                                                                                                • API String ID: 3966877926-3062513736
                                                                                                                                                                                                                                • Opcode ID: 240a4362d17f14c59b940fe530da69547b533384544aaaadc70cf94112413839
                                                                                                                                                                                                                                • Instruction ID: 2906f591fdcd98215504c4db900cd9c5f4984944fab9ade983be526ff471b933
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 240a4362d17f14c59b940fe530da69547b533384544aaaadc70cf94112413839
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B6215EB1611206AFD708DF59C88AA6AF7F9FF48348F14826EE115A7341D7B8DD048BA4
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 00425E92 Relevance: 3.1, APIs: 2, Instructions: 77COMMON
                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • __EH_prolog.LIBCMT ref: 00425E97
                                                                                                                                                                                                                                  • Part of subcall function 00401BB2: __EH_prolog.LIBCMT ref: 00401BB7
                                                                                                                                                                                                                                  • Part of subcall function 00402403: __EH_prolog.LIBCMT ref: 00402408
                                                                                                                                                                                                                                • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00425F79
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3315694164.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: H_prolog$Ios_base_dtorstd::ios_base::_
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 420165198-0
                                                                                                                                                                                                                                • Opcode ID: 9ab3aaf70d2163a1063e646c5f49d5cb4be0b6ea4cdc2725c479562135cb88ac
                                                                                                                                                                                                                                • Instruction ID: 2556a8629159148f8f48e0708bdd224720a40a44b3f3f3bd97029f0642dfd191
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 9ab3aaf70d2163a1063e646c5f49d5cb4be0b6ea4cdc2725c479562135cb88ac
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 3731F570D01119EBDB14EF95E985AEDFBB4BF48304F5081AEE405B3681EB786A04CF64
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 049A0E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • SetErrorMode.KERNEL32(00000400,?,?,049A0223,?,?), ref: 049A0E19
                                                                                                                                                                                                                                • SetErrorMode.KERNEL32(00000000,?,?,049A0223,?,?), ref: 049A0E1E
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3337248481.00000000049A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_49a0000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ErrorMode
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 2340568224-0
                                                                                                                                                                                                                                • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                                                                                                                                                                • Instruction ID: 8cc1a420990746618cf72a370a5af9752219a4a2f98d9fd987ef948e3681c966
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C1D0123114512877DB402E94DC0DBCD7B1CDF09B62F108021FB0DD9080C770954046E5
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 0041878B Relevance: 1.7, APIs: 1, Instructions: 151COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3315694164.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 52ad06baf811014e6e5f204b8b24a1eec4f86eb4dd968a0a20361761455e3fdc
                                                                                                                                                                                                                                • Instruction ID: fd9d528a0c7afc623981433e04a224839326e77561e427239af827bb4a6996c4
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 52ad06baf811014e6e5f204b8b24a1eec4f86eb4dd968a0a20361761455e3fdc
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8E51F771A00108AFDB10DF69C840BFA7BA5EF85364F59815EE8489B392CB39DD82C755
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 00401F2B Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3315694164.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: __fread_nolock
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 2638373210-0
                                                                                                                                                                                                                                • Opcode ID: 25aeabf7499e8ad583be7248ba51f421055d1c52451b24307ef19921f3e1bf67
                                                                                                                                                                                                                                • Instruction ID: 0bde1253143090ae73d8540e9fd285f072e0ff93183f3a7406587cf81db67a05
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 25aeabf7499e8ad583be7248ba51f421055d1c52451b24307ef19921f3e1bf67
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: CF316B31604706AFC710DE29C884A5ABBA0BF88354F04863EF954A73A1D779D854CB9A
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 004024A1 Relevance: 1.6, APIs: 1, Instructions: 85COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • __EH_prolog.LIBCMT ref: 004024A6
                                                                                                                                                                                                                                  • Part of subcall function 0040187F: __CxxThrowException@8.LIBVCRUNTIME ref: 004018C9
                                                                                                                                                                                                                                  • Part of subcall function 0040187F: std::system_error::system_error.LIBCPMT ref: 004018D8
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3315694164.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: Exception@8H_prologThrowstd::system_error::system_error
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 938716162-0
                                                                                                                                                                                                                                • Opcode ID: 3289019c20cb4556ee6c38f5e2da7034edf6970fc1a8ccc22b3f8cd15b199a8e
                                                                                                                                                                                                                                • Instruction ID: f9688b0c90679192299e0bb7a3439a4399c8f0768580163213d8cecdb75eb4b1
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3289019c20cb4556ee6c38f5e2da7034edf6970fc1a8ccc22b3f8cd15b199a8e
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: AE318B71A00515AFCB18DF29C9D5E6AB7F5FF84318718C16EE416AB791C634EC40CB54
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 0040257C Relevance: 1.6, APIs: 1, Instructions: 79COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • __EH_prolog.LIBCMT ref: 00402581
                                                                                                                                                                                                                                  • Part of subcall function 00402B06: __EH_prolog.LIBCMT ref: 00402B0B
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3315694164.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: H_prolog
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 3519838083-0
                                                                                                                                                                                                                                • Opcode ID: 291e7d1b3f6cf1fc2dccdca70f715a4ec6857470b8c4d5c93d697d15b5cdd404
                                                                                                                                                                                                                                • Instruction ID: 579ab2d92f659928d645a67e5e22432caab009e00a2c317709415ae2193797db
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 291e7d1b3f6cf1fc2dccdca70f715a4ec6857470b8c4d5c93d697d15b5cdd404
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 55318570A00619AFCB15DF09CA84A9ABBB5FF48308F14856EE405AB791C7B9ED40CB94
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 00402403 Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • __EH_prolog.LIBCMT ref: 00402408
                                                                                                                                                                                                                                  • Part of subcall function 00402B06: __EH_prolog.LIBCMT ref: 00402B0B
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3315694164.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: H_prolog
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 3519838083-0
                                                                                                                                                                                                                                • Opcode ID: d2d9b6b43cfdf996835e501fea2ee693a7f56e5686c885c3d9c862d0dd8198d7
                                                                                                                                                                                                                                • Instruction ID: dba47e39e8d0c89352df1fbf4b30e2bb14e57b784247d2a0b0b3577a8c407922
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d2d9b6b43cfdf996835e501fea2ee693a7f56e5686c885c3d9c862d0dd8198d7
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 07218E70601611DFC728DF19C54896ABBF5FF88314B20C26EE85AAB7A1C374EE41CB90
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 0041AED0 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3315694164.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: __wsopen_s
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 3347428461-0
                                                                                                                                                                                                                                • Opcode ID: 3d975e7e6cbb78488cc061dbf685c7f7941f423534bf463c83edbdca8607934f
                                                                                                                                                                                                                                • Instruction ID: e517ab393e7309e987bd06d7ace07ed33cf8ef7f106266aa14b3143d95857183
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3d975e7e6cbb78488cc061dbf685c7f7941f423534bf463c83edbdca8607934f
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 54114C71904209AFCF05DF58E9419DB7BF4EF48314F10409AF808AB311D635D9618B6A
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 00402F6B Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • __EH_prolog.LIBCMT ref: 00402F70
                                                                                                                                                                                                                                  • Part of subcall function 004035F5: __EH_prolog.LIBCMT ref: 004035FA
                                                                                                                                                                                                                                  • Part of subcall function 004035F5: std::_Lockit::_Lockit.LIBCPMT ref: 00403609
                                                                                                                                                                                                                                  • Part of subcall function 004035F5: int.LIBCPMT ref: 00403620
                                                                                                                                                                                                                                  • Part of subcall function 004035F5: std::locale::_Getfacet.LIBCPMT ref: 00403629
                                                                                                                                                                                                                                  • Part of subcall function 004035F5: std::_Lockit::~_Lockit.LIBCPMT ref: 00403670
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3315694164.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: H_prologLockitstd::_$GetfacetLockit::_Lockit::~_std::locale::_
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 3585332825-0
                                                                                                                                                                                                                                • Opcode ID: a6ab362fac026c4336eb4d324ac0ee64ede451761661cacb1181b9d48738e12c
                                                                                                                                                                                                                                • Instruction ID: 9ea047f1679d3f1c5945bcfcf49701419db79aaecc95a1d6f6b9c9ff7255fd05
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a6ab362fac026c4336eb4d324ac0ee64ede451761661cacb1181b9d48738e12c
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6E018F70610114AFDB14EB25CA0ABAEB7F9AF04708F00402EF405B76D1DBF8AE408B59
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 0041A1D1 Relevance: 1.5, APIs: 1, Instructions: 36COMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3315694164.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: _free
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 269201875-0
                                                                                                                                                                                                                                • Opcode ID: 68fd172b046a401a07b87b6cc8e6e0eb4e84c281b2bbab5ff70b0aff8b290acd
                                                                                                                                                                                                                                • Instruction ID: 12cd10f48dc7b96564373969defca7bad1702ec24c59837b56aad39c86ff4cfc
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 68fd172b046a401a07b87b6cc8e6e0eb4e84c281b2bbab5ff70b0aff8b290acd
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: AFF09A32511119BBCF005E96DC02CDA3B6EEF89334F100156F91492150DA3ADD60A7A5
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 00417A45 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0041B3A4,00000000,?,00410DD1,?,00000008,?,0041197C,?,?,?), ref: 00417A77
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3315694164.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: AllocateHeap
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1279760036-0
                                                                                                                                                                                                                                • Opcode ID: 5597b3fef2049d4b94b9b28840fe08f3b449df791141d5097313f0f524cf2598
                                                                                                                                                                                                                                • Instruction ID: b5ba98d12a3d3f69e8fd305ea92f8e9f348d5f1b31b2d1e3b8fe5de402ef0145
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5597b3fef2049d4b94b9b28840fe08f3b449df791141d5097313f0f524cf2598
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 12E0A03128821557973026729C017DF66699F417E1B190123AC04962A0CA5C8BD181AD
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 00409256 Relevance: 1.5, APIs: 1, Instructions: 28COMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 00409967
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3315694164.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: Exception@8Throw
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 2005118841-0
                                                                                                                                                                                                                                • Opcode ID: 3493f753b1486d58973e154b97d64109dfccfe3e8fab1b3c27d4c8eca396d5cc
                                                                                                                                                                                                                                • Instruction ID: b1d4d2c8bd5c33842f46a32f8b4bbf06a66db444bdcfb0a1f556bd7da6e477e1
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3493f753b1486d58973e154b97d64109dfccfe3e8fab1b3c27d4c8eca396d5cc
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D4E0927440430DB6CB007A66EC169AE375C1E00324B208A7FB918B55E2EB78DDAAC59E
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 00419F10 Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • CreateFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 00419F2D
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3315694164.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: CreateFile
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 823142352-0
                                                                                                                                                                                                                                • Opcode ID: 938609861a59e87d92f3a0c73e0613ce9160f7b54543d4443c23c2832b1bfae6
                                                                                                                                                                                                                                • Instruction ID: 5eb29461e2ddc9ae740c772c154a31e7a3cc6174a3f1b9e62ad8f29cf5827f76
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 938609861a59e87d92f3a0c73e0613ce9160f7b54543d4443c23c2832b1bfae6
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E4D06C3210010DBBDF129F84DD06EDA3BAAFB48754F018010BA5856060C732E832AB94
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 02F1F44D Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • VirtualAlloc.KERNEL32(00000000,?,00001000,00000040), ref: 02F1F49E
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3336518839.0000000002F1E000.00000040.00000020.00020000.00000000.sdmp, Offset: 02F1E000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_2f1e000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: AllocVirtual
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 4275171209-0
                                                                                                                                                                                                                                • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                                                                                                                                                                • Instruction ID: fabd4502ace6011447e82e50fd01a515dc95ebd793c54d9f83b920f6c7b22d34
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6A113C79A00208EFDB01DF98CA85E98BBF5AF08351F058094FA489B362D771EA50DF80
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Non-executed Functions

                                                                                                                                                                                                                                Function 049C4C75 Relevance: 55.5, APIs: 2, Strings: 29, Instructions: 1252COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                  • Part of subcall function 049C649C: __EH_prolog.LIBCMT ref: 049C64A1
                                                                                                                                                                                                                                • GetModuleFileNameA.KERNEL32(00000000,?,00000104,0043AEF4), ref: 049C4D3C
                                                                                                                                                                                                                                  • Part of subcall function 049C60F9: __EH_prolog.LIBCMT ref: 049C60FE
                                                                                                                                                                                                                                  • Part of subcall function 049C60F9: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 049C61E0
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3337248481.00000000049A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_49a0000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: H_prolog$FileIos_base_dtorModuleNamestd::ios_base::_
                                                                                                                                                                                                                                • String ID: @$/1/serversystemNCQ_x64.exe$/BroomSetup.exe$/cpa/ping.php?substr=%s&s=ab&sub=%s$/ping.php?substr=%s$/syncUpd.exe$185.172.128.228$185.172.128.228$185.172.128.59$185.172.128.90$Installed$P$P$P$P$P$SOFTWARE\BroomCleaner$eight$five$four$nine$note.padd.cn.com$one$serversystemNCQ_x64.exe$seven$six$ten$three$two
                                                                                                                                                                                                                                • API String ID: 2531350358-943425476
                                                                                                                                                                                                                                • Opcode ID: 6de0276b107486a6e474e1e0084ba7586d55d8bfa3271348581a8865d76d9fa7
                                                                                                                                                                                                                                • Instruction ID: e53ff5ad9bab66fe8bc470adc475e8e5b6d960d775578a637dede944222314f8
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 6de0276b107486a6e474e1e0084ba7586d55d8bfa3271348581a8865d76d9fa7
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 04A2EE1048B2D0AEE721F778585758E3BE11AA3349F9CA4B9C4E11B363D954A53C83EF
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 0042086B Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 188COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                  • Part of subcall function 00416D19: GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
                                                                                                                                                                                                                                  • Part of subcall function 00416D19: _free.LIBCMT ref: 00416D50
                                                                                                                                                                                                                                  • Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D91
                                                                                                                                                                                                                                  • Part of subcall function 00416D19: _abort.LIBCMT ref: 00416D97
                                                                                                                                                                                                                                  • Part of subcall function 00416D19: _free.LIBCMT ref: 00416D78
                                                                                                                                                                                                                                  • Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D85
                                                                                                                                                                                                                                • GetUserDefaultLCID.KERNEL32 ref: 00420977
                                                                                                                                                                                                                                • IsValidCodePage.KERNEL32(00000000), ref: 004209D2
                                                                                                                                                                                                                                • IsValidLocale.KERNEL32(?,00000001), ref: 004209E1
                                                                                                                                                                                                                                • GetLocaleInfoW.KERNEL32(?,00001001,?,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 00420A29
                                                                                                                                                                                                                                • GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 00420A48
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3315694164.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                                                                                                                                                                                                                • String ID: 0B
                                                                                                                                                                                                                                • API String ID: 745075371-4003747729
                                                                                                                                                                                                                                • Opcode ID: f8dfd3e45c7171820dfa425feb9c1a2a63e1685b7cd510425c95f259fcd5efdc
                                                                                                                                                                                                                                • Instruction ID: 650ebaacf82e858368a26b85c64588bb52e0d85139106dd20bcc8c2b817cb8b1
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f8dfd3e45c7171820dfa425feb9c1a2a63e1685b7cd510425c95f259fcd5efdc
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 475184B1B002259AEB20DFA5EC45BBF77F8AF04700F94046BE905E7253D7789984CB69
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 0041FF33 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 236COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                  • Part of subcall function 00416D19: GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
                                                                                                                                                                                                                                  • Part of subcall function 00416D19: _free.LIBCMT ref: 00416D50
                                                                                                                                                                                                                                  • Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D91
                                                                                                                                                                                                                                  • Part of subcall function 00416D19: _abort.LIBCMT ref: 00416D97
                                                                                                                                                                                                                                • IsValidCodePage.KERNEL32(00000000), ref: 00420015
                                                                                                                                                                                                                                • _wcschr.LIBVCRUNTIME ref: 004200A5
                                                                                                                                                                                                                                • _wcschr.LIBVCRUNTIME ref: 004200B3
                                                                                                                                                                                                                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,?,00000000,?), ref: 00420156
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3315694164.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                                                                                                                                                                                                                • String ID: 0B
                                                                                                                                                                                                                                • API String ID: 4212172061-4003747729
                                                                                                                                                                                                                                • Opcode ID: a67f0c87ba5b0233321a1933dfd54815027aea6e1cb45a6db47d5a69fa3d4796
                                                                                                                                                                                                                                • Instruction ID: 96eb391d46ce5fb78e8006d1997cb9303ceaefbbeb856b82c66811b22ec73256
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a67f0c87ba5b0233321a1933dfd54815027aea6e1cb45a6db47d5a69fa3d4796
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: CD61F971700216AAE724AB35EC42BEB77E8EF04314F54403FF505D7282EA79E986C768
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 00420697 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002), ref: 00420730
                                                                                                                                                                                                                                • GetLocaleInfoW.KERNEL32(?,20001004,?,00000002), ref: 00420759
                                                                                                                                                                                                                                • GetACP.KERNEL32 ref: 0042076E
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3315694164.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: InfoLocale
                                                                                                                                                                                                                                • String ID: ACP$OCP
                                                                                                                                                                                                                                • API String ID: 2299586839-711371036
                                                                                                                                                                                                                                • Opcode ID: 2f8ee967946dfbb9997fc3c3bc2472c999760cc1c46ecdade7a51e654396b61a
                                                                                                                                                                                                                                • Instruction ID: f807061c0cfb0377689ec6e1dc83ff6a27fcbbb4928d2f32a34ff3ed1f12855e
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 2f8ee967946dfbb9997fc3c3bc2472c999760cc1c46ecdade7a51e654396b61a
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D021D822B00125A7D7308F54E900A9BB3E6AFD0F50BD68076E90AD7312E736ED41CB58
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 049C08FE Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002), ref: 049C0997
                                                                                                                                                                                                                                • GetLocaleInfoW.KERNEL32(?,20001004,?,00000002), ref: 049C09C0
                                                                                                                                                                                                                                • GetACP.KERNEL32 ref: 049C09D5
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3337248481.00000000049A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_49a0000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: InfoLocale
                                                                                                                                                                                                                                • String ID: ACP$OCP
                                                                                                                                                                                                                                • API String ID: 2299586839-711371036
                                                                                                                                                                                                                                • Opcode ID: 2f8ee967946dfbb9997fc3c3bc2472c999760cc1c46ecdade7a51e654396b61a
                                                                                                                                                                                                                                • Instruction ID: 01a4bd18ad82221c578389e0dd756435de8e750dc97e58de86d7996ef1fe90f5
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 2f8ee967946dfbb9997fc3c3bc2472c999760cc1c46ecdade7a51e654396b61a
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5421A122B01104EAF7348FD5C801BA7B3AAAB40B60F46847CEA4AD7101E732EA40C796
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 049C0AD2 Relevance: 7.7, APIs: 5, Instructions: 188COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                  • Part of subcall function 049B6F80: GetLastError.KERNEL32(?,?,049AE697,?,?,?,049AED94,?), ref: 049B6F84
                                                                                                                                                                                                                                  • Part of subcall function 049B6F80: _free.LIBCMT ref: 049B6FB7
                                                                                                                                                                                                                                  • Part of subcall function 049B6F80: SetLastError.KERNEL32(00000000), ref: 049B6FF8
                                                                                                                                                                                                                                  • Part of subcall function 049B6F80: _abort.LIBCMT ref: 049B6FFE
                                                                                                                                                                                                                                  • Part of subcall function 049B6F80: _free.LIBCMT ref: 049B6FDF
                                                                                                                                                                                                                                  • Part of subcall function 049B6F80: SetLastError.KERNEL32(00000000), ref: 049B6FEC
                                                                                                                                                                                                                                • GetUserDefaultLCID.KERNEL32 ref: 049C0BDE
                                                                                                                                                                                                                                • IsValidCodePage.KERNEL32(00000000), ref: 049C0C39
                                                                                                                                                                                                                                • IsValidLocale.KERNEL32(?,00000001), ref: 049C0C48
                                                                                                                                                                                                                                • GetLocaleInfoW.KERNEL32(?,00001001,?,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 049C0C90
                                                                                                                                                                                                                                • GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 049C0CAF
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3337248481.00000000049A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_49a0000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 745075371-0
                                                                                                                                                                                                                                • Opcode ID: f8dfd3e45c7171820dfa425feb9c1a2a63e1685b7cd510425c95f259fcd5efdc
                                                                                                                                                                                                                                • Instruction ID: ff054e7d2a61a8f72c602d19dc1edf8a141a782a69ba7939dd704ebb5cc12473
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f8dfd3e45c7171820dfa425feb9c1a2a63e1685b7cd510425c95f259fcd5efdc
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7A515B71A00219EFEF20DFE5DC44ABAB7BCAF44704F44447DE914EB190EB70AA458B62
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 004123A0 Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 464COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3315694164.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID: y%B$y%B
                                                                                                                                                                                                                                • API String ID: 0-2510245575
                                                                                                                                                                                                                                • Opcode ID: 639d753ca5804acfb26a7323c6b70442fdf5003eed0a35c333bc141f8f4a1fb1
                                                                                                                                                                                                                                • Instruction ID: 7f81a5055d29d3c9b3a65b9dd9c97bea9b47a5c616e9cad61c519a63aba044dd
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 639d753ca5804acfb26a7323c6b70442fdf5003eed0a35c333bc141f8f4a1fb1
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F8024C71E002199FDF14CFA9D9806EEB7F1FF88314F25826AD819E7380D774AA518B94
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 049C019A Relevance: 6.2, APIs: 4, Instructions: 236COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                  • Part of subcall function 049B6F80: GetLastError.KERNEL32(?,?,049AE697,?,?,?,049AED94,?), ref: 049B6F84
                                                                                                                                                                                                                                  • Part of subcall function 049B6F80: _free.LIBCMT ref: 049B6FB7
                                                                                                                                                                                                                                  • Part of subcall function 049B6F80: SetLastError.KERNEL32(00000000), ref: 049B6FF8
                                                                                                                                                                                                                                  • Part of subcall function 049B6F80: _abort.LIBCMT ref: 049B6FFE
                                                                                                                                                                                                                                • IsValidCodePage.KERNEL32(00000000), ref: 049C027C
                                                                                                                                                                                                                                • _wcschr.LIBVCRUNTIME ref: 049C030C
                                                                                                                                                                                                                                • _wcschr.LIBVCRUNTIME ref: 049C031A
                                                                                                                                                                                                                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,?,00000000,?), ref: 049C03BD
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3337248481.00000000049A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_49a0000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 4212172061-0
                                                                                                                                                                                                                                • Opcode ID: a67f0c87ba5b0233321a1933dfd54815027aea6e1cb45a6db47d5a69fa3d4796
                                                                                                                                                                                                                                • Instruction ID: 2a9d228ebe7ab98a8dac2e5d7ada7f6f10e15389678285df9691d2fb5e997709
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a67f0c87ba5b0233321a1933dfd54815027aea6e1cb45a6db47d5a69fa3d4796
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B961D971A00206EBEB24AFB4DC45FAA77ACEF44714F14447EE949DB180EA74F94487E2
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 0042031E Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                  • Part of subcall function 00416D19: GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
                                                                                                                                                                                                                                  • Part of subcall function 00416D19: _free.LIBCMT ref: 00416D50
                                                                                                                                                                                                                                  • Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D91
                                                                                                                                                                                                                                  • Part of subcall function 00416D19: _abort.LIBCMT ref: 00416D97
                                                                                                                                                                                                                                  • Part of subcall function 00416D19: _free.LIBCMT ref: 00416D78
                                                                                                                                                                                                                                  • Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D85
                                                                                                                                                                                                                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00420372
                                                                                                                                                                                                                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004203C3
                                                                                                                                                                                                                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00420483
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3315694164.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ErrorInfoLastLocale$_free$_abort
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 2829624132-0
                                                                                                                                                                                                                                • Opcode ID: 5b72115e8b3d99db5ee644b06332b43cb25b862bc34a9776d716a8c8283a0e68
                                                                                                                                                                                                                                • Instruction ID: e49ff8fe4670d0273f63fc0405290e337e91ea8406976b64d41fdeda8fa98918
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5b72115e8b3d99db5ee644b06332b43cb25b862bc34a9776d716a8c8283a0e68
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: EB618571700127ABDB28DF25DC81BBA77E8EF04344F50807AE905C6642E77CE995CB58
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 0041073B Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00410833
                                                                                                                                                                                                                                • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 0041083D
                                                                                                                                                                                                                                • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 0041084A
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3315694164.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 3906539128-0
                                                                                                                                                                                                                                • Opcode ID: 2e0c4ce7fc6f97195f0dd2060de5b9be5f08cd0aee2531fe00585e805eb4148f
                                                                                                                                                                                                                                • Instruction ID: 83fb90e8a7c5f9d9a6e74ed2432930f3ebad2766a255ac5393aec732c1f36b41
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 2e0c4ce7fc6f97195f0dd2060de5b9be5f08cd0aee2531fe00585e805eb4148f
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 9231C3749012189BCB21EF25DD887DDB7B8BF08310F5041EAE41CA7291EB749F858F88
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 049B09A2 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 049B0A9A
                                                                                                                                                                                                                                • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 049B0AA4
                                                                                                                                                                                                                                • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 049B0AB1
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3337248481.00000000049A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_49a0000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 3906539128-0
                                                                                                                                                                                                                                • Opcode ID: 2e0c4ce7fc6f97195f0dd2060de5b9be5f08cd0aee2531fe00585e805eb4148f
                                                                                                                                                                                                                                • Instruction ID: 7c53f5fe544411eac89a9fee7adb3f58b3acca18af77e11bf618f5962bc09b67
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 2e0c4ce7fc6f97195f0dd2060de5b9be5f08cd0aee2531fe00585e805eb4148f
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: CC31C97490121C9BDB21DF68DD887DDB7B8BF48310F5045EAE41CA7250E770AB958F85
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 049B3C4E Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • GetCurrentProcess.KERNEL32(00000003,?,049B3C24,00000003,00437D60,0000000C,049B3D7B,00000003,00000002,00000000,?,049B2DD2,00000003), ref: 049B3C6F
                                                                                                                                                                                                                                • TerminateProcess.KERNEL32(00000000,?,049B3C24,00000003,00437D60,0000000C,049B3D7B,00000003,00000002,00000000,?,049B2DD2,00000003), ref: 049B3C76
                                                                                                                                                                                                                                • ExitProcess.KERNEL32 ref: 049B3C88
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3337248481.00000000049A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_49a0000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: Process$CurrentExitTerminate
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1703294689-0
                                                                                                                                                                                                                                • Opcode ID: 894b5bdb18b640f385292c5622eb6f2d8d3b57cbb89090b821d2e36a11f43174
                                                                                                                                                                                                                                • Instruction ID: f600988fee3d08fda39e85a4ad32953db380c4132b097a6acd8f3f6d075ac8d0
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 894b5bdb18b640f385292c5622eb6f2d8d3b57cbb89090b821d2e36a11f43174
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 80E0BF31101544ABCF62AF94DF089893F69EB44645F418474FD4586132CF35E956CB84
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 049A092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3337248481.00000000049A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_49a0000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID: .$GetProcAddress.$l
                                                                                                                                                                                                                                • API String ID: 0-2784972518
                                                                                                                                                                                                                                • Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                                                                                                                                                                                                • Instruction ID: 5b143020be640603938b3c541d7072067eabae1db30e36e72003d24b4052acc0
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 79314AB6900609DFEB10CF99C884AAEBBF9FF48324F15405AD941A7310D771FA55CBA4
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 004174E4 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,00413D9B,?,00000004), ref: 00417537
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3315694164.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: InfoLocale
                                                                                                                                                                                                                                • String ID: GetLocaleInfoEx
                                                                                                                                                                                                                                • API String ID: 2299586839-2904428671
                                                                                                                                                                                                                                • Opcode ID: 5624002d6b428694473462ba0072f2f24f44899c1fa35fdf49f16317c2614754
                                                                                                                                                                                                                                • Instruction ID: eb066377b6a6f3e9ff085c9de847c8580b30247b499f366338aeab0e0db1c657
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5624002d6b428694473462ba0072f2f24f44899c1fa35fdf49f16317c2614754
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: BEF0F631740218BBDB11AF61AC01FAE3B75DF08711F90005AFC0527292CF755D509A9D
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 0042056E Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                  • Part of subcall function 00416D19: GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
                                                                                                                                                                                                                                  • Part of subcall function 00416D19: _free.LIBCMT ref: 00416D50
                                                                                                                                                                                                                                  • Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D91
                                                                                                                                                                                                                                  • Part of subcall function 00416D19: _abort.LIBCMT ref: 00416D97
                                                                                                                                                                                                                                  • Part of subcall function 00416D19: _free.LIBCMT ref: 00416D78
                                                                                                                                                                                                                                  • Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D85
                                                                                                                                                                                                                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004205C2
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3315694164.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ErrorLast$_free$InfoLocale_abort
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1663032902-0
                                                                                                                                                                                                                                • Opcode ID: 07176d041ccb76ae88aba79526e47c474368dd3b10318d7024768d010027b9a4
                                                                                                                                                                                                                                • Instruction ID: 77ec679e931d5f83319bd54e9c5f414fd5e1a778dc4a26272ac96700fb2417fe
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 07176d041ccb76ae88aba79526e47c474368dd3b10318d7024768d010027b9a4
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5D21A472A10126AFDB249F25EC41BBB73E8EB84314F50007FE905D6242EB78AD94CB58
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 049C07D5 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                  • Part of subcall function 049B6F80: GetLastError.KERNEL32(?,?,049AE697,?,?,?,049AED94,?), ref: 049B6F84
                                                                                                                                                                                                                                  • Part of subcall function 049B6F80: _free.LIBCMT ref: 049B6FB7
                                                                                                                                                                                                                                  • Part of subcall function 049B6F80: SetLastError.KERNEL32(00000000), ref: 049B6FF8
                                                                                                                                                                                                                                  • Part of subcall function 049B6F80: _abort.LIBCMT ref: 049B6FFE
                                                                                                                                                                                                                                  • Part of subcall function 049B6F80: _free.LIBCMT ref: 049B6FDF
                                                                                                                                                                                                                                  • Part of subcall function 049B6F80: SetLastError.KERNEL32(00000000), ref: 049B6FEC
                                                                                                                                                                                                                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 049C0829
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3337248481.00000000049A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_49a0000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ErrorLast$_free$InfoLocale_abort
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1663032902-0
                                                                                                                                                                                                                                • Opcode ID: 07176d041ccb76ae88aba79526e47c474368dd3b10318d7024768d010027b9a4
                                                                                                                                                                                                                                • Instruction ID: 170abc35d800a3819d4411c89bd109f7c6a6f8928fc10c51885a807ff018e2bf
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 07176d041ccb76ae88aba79526e47c474368dd3b10318d7024768d010027b9a4
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4E214172510246EBEB28AF64DC41BBA73ACEB44314F10417EED05D6140EB76B944CBD6
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 004201F6 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                  • Part of subcall function 00416D19: GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
                                                                                                                                                                                                                                  • Part of subcall function 00416D19: _free.LIBCMT ref: 00416D50
                                                                                                                                                                                                                                  • Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D91
                                                                                                                                                                                                                                  • Part of subcall function 00416D19: _abort.LIBCMT ref: 00416D97
                                                                                                                                                                                                                                • EnumSystemLocalesW.KERNEL32(0042031E,00000001), ref: 00420268
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3315694164.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1084509184-0
                                                                                                                                                                                                                                • Opcode ID: 99b2f876620ac10c6ca92bde749c113f34e51ea65ef0bdbea7568b5c98a300cc
                                                                                                                                                                                                                                • Instruction ID: 49ba2386fd56472b937459dedd44369b9cff9a6b43f8a10f8929f2f22ea22f3a
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 99b2f876620ac10c6ca92bde749c113f34e51ea65ef0bdbea7568b5c98a300cc
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C211593A3003048FDB189F79E8955BABBD1FF80358B54442EE94647B41D775AC43CB54
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 049C045D Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                  • Part of subcall function 049B6F80: GetLastError.KERNEL32(?,?,049AE697,?,?,?,049AED94,?), ref: 049B6F84
                                                                                                                                                                                                                                  • Part of subcall function 049B6F80: _free.LIBCMT ref: 049B6FB7
                                                                                                                                                                                                                                  • Part of subcall function 049B6F80: SetLastError.KERNEL32(00000000), ref: 049B6FF8
                                                                                                                                                                                                                                  • Part of subcall function 049B6F80: _abort.LIBCMT ref: 049B6FFE
                                                                                                                                                                                                                                • EnumSystemLocalesW.KERNEL32(0042031E,00000001), ref: 049C04CF
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3337248481.00000000049A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_49a0000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1084509184-0
                                                                                                                                                                                                                                • Opcode ID: 99b2f876620ac10c6ca92bde749c113f34e51ea65ef0bdbea7568b5c98a300cc
                                                                                                                                                                                                                                • Instruction ID: be6d39d530db6240714725be62b873a5798abd23ded34410651eefa927061019
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 99b2f876620ac10c6ca92bde749c113f34e51ea65ef0bdbea7568b5c98a300cc
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: FE112536600305DFDB189F79D8A06BBBB96FF84318F58443CE98687A40E771B942CB40
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 0042079E Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                  • Part of subcall function 00416D19: GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
                                                                                                                                                                                                                                  • Part of subcall function 00416D19: _free.LIBCMT ref: 00416D50
                                                                                                                                                                                                                                  • Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D91
                                                                                                                                                                                                                                  • Part of subcall function 00416D19: _abort.LIBCMT ref: 00416D97
                                                                                                                                                                                                                                • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0042053C,00000000,00000000,?), ref: 004207CA
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3315694164.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ErrorLast$InfoLocale_abort_free
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 2692324296-0
                                                                                                                                                                                                                                • Opcode ID: 50a760b773673056dd5f151f0344ea9a82e991bd5fc7a466e2a75e8168688c74
                                                                                                                                                                                                                                • Instruction ID: 77b7efbbd9605084933b199ee4511a6e14ac572494e41087e59a71c46a783dd0
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 50a760b773673056dd5f151f0344ea9a82e991bd5fc7a466e2a75e8168688c74
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7DF04932B00131BBDB285A25EC05ABB77E8EB40714F55042FEC05A3641EB78BD41CAE4
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 049C0A05 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                  • Part of subcall function 049B6F80: GetLastError.KERNEL32(?,?,049AE697,?,?,?,049AED94,?), ref: 049B6F84
                                                                                                                                                                                                                                  • Part of subcall function 049B6F80: _free.LIBCMT ref: 049B6FB7
                                                                                                                                                                                                                                  • Part of subcall function 049B6F80: SetLastError.KERNEL32(00000000), ref: 049B6FF8
                                                                                                                                                                                                                                  • Part of subcall function 049B6F80: _abort.LIBCMT ref: 049B6FFE
                                                                                                                                                                                                                                • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,049C07A3,00000000,00000000,?), ref: 049C0A31
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3337248481.00000000049A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_49a0000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ErrorLast$InfoLocale_abort_free
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 2692324296-0
                                                                                                                                                                                                                                • Opcode ID: 50a760b773673056dd5f151f0344ea9a82e991bd5fc7a466e2a75e8168688c74
                                                                                                                                                                                                                                • Instruction ID: aba13a478761b7ff53e282d1d7f16d9e5ddc6dafc69a9ea06f899c620d6d6c54
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 50a760b773673056dd5f151f0344ea9a82e991bd5fc7a466e2a75e8168688c74
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8EF0F932A10115FFDB245AA58C09BBA77ECEB44714F05047DED45A3140EA74FE41C6D1
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 049C07D3 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                  • Part of subcall function 049B6F80: GetLastError.KERNEL32(?,?,049AE697,?,?,?,049AED94,?), ref: 049B6F84
                                                                                                                                                                                                                                  • Part of subcall function 049B6F80: _free.LIBCMT ref: 049B6FB7
                                                                                                                                                                                                                                  • Part of subcall function 049B6F80: SetLastError.KERNEL32(00000000), ref: 049B6FF8
                                                                                                                                                                                                                                  • Part of subcall function 049B6F80: _abort.LIBCMT ref: 049B6FFE
                                                                                                                                                                                                                                  • Part of subcall function 049B6F80: _free.LIBCMT ref: 049B6FDF
                                                                                                                                                                                                                                  • Part of subcall function 049B6F80: SetLastError.KERNEL32(00000000), ref: 049B6FEC
                                                                                                                                                                                                                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 049C0829
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3337248481.00000000049A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_49a0000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ErrorLast$_free$InfoLocale_abort
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1663032902-0
                                                                                                                                                                                                                                • Opcode ID: dddd9c65e4e1f30298f46963856044f07241dc7bad61ee8d4cc12e79d60ace71
                                                                                                                                                                                                                                • Instruction ID: bb742d11135cbaabe323aae424c0022d0a06c580b27509d3d4c3d5abf45b066a
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: dddd9c65e4e1f30298f46963856044f07241dc7bad61ee8d4cc12e79d60ace71
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5DF0C832A51209EBEB14AF74DC81EFA73ACDB84314F0041BEEA06D7240DA75BD0587D5
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 00420291 Relevance: 1.5, APIs: 1, Instructions: 42COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                  • Part of subcall function 00416D19: GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
                                                                                                                                                                                                                                  • Part of subcall function 00416D19: _free.LIBCMT ref: 00416D50
                                                                                                                                                                                                                                  • Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D91
                                                                                                                                                                                                                                  • Part of subcall function 00416D19: _abort.LIBCMT ref: 00416D97
                                                                                                                                                                                                                                • EnumSystemLocalesW.KERNEL32(0042056E,00000001), ref: 004202DD
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3315694164.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1084509184-0
                                                                                                                                                                                                                                • Opcode ID: 113be6f81e3035ef4094f513c827c8a5482bca16cbeb68e33c29e2227a471707
                                                                                                                                                                                                                                • Instruction ID: f4d74bd71e075134b08b3162c017dc50aec929530ee89942bdaa7194291eeec2
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 113be6f81e3035ef4094f513c827c8a5482bca16cbeb68e33c29e2227a471707
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8EF028363003149FD7249F39E88567B7BD1EF80358B55806FF9418B681D6B5DC42CA14
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 049C04F8 Relevance: 1.5, APIs: 1, Instructions: 42COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                  • Part of subcall function 049B6F80: GetLastError.KERNEL32(?,?,049AE697,?,?,?,049AED94,?), ref: 049B6F84
                                                                                                                                                                                                                                  • Part of subcall function 049B6F80: _free.LIBCMT ref: 049B6FB7
                                                                                                                                                                                                                                  • Part of subcall function 049B6F80: SetLastError.KERNEL32(00000000), ref: 049B6FF8
                                                                                                                                                                                                                                  • Part of subcall function 049B6F80: _abort.LIBCMT ref: 049B6FFE
                                                                                                                                                                                                                                • EnumSystemLocalesW.KERNEL32(0042056E,00000001), ref: 049C0544
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3337248481.00000000049A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_49a0000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1084509184-0
                                                                                                                                                                                                                                • Opcode ID: 113be6f81e3035ef4094f513c827c8a5482bca16cbeb68e33c29e2227a471707
                                                                                                                                                                                                                                • Instruction ID: 34521a53f9d27d0aa4e61fa685ebf22c5a42c879436fd99105771e3aad54d1a3
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 113be6f81e3035ef4094f513c827c8a5482bca16cbeb68e33c29e2227a471707
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B8F0C2363003449FDB249F7A9880A7A7B95EF8176CF15447DF9468B680D6B1E842DA40
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 049B774B Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,049B4002,?,00000004), ref: 049B779E
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3337248481.00000000049A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_49a0000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: InfoLocale
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 2299586839-0
                                                                                                                                                                                                                                • Opcode ID: d06c81f9051624123f0240a2e40fa32804307ea5612c10cef1e8800cd83b6813
                                                                                                                                                                                                                                • Instruction ID: ba882c9dc14cd468dbb3b4fddbedea4ce648d410fee3f05af8a5faed7e3bf5ba
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d06c81f9051624123f0240a2e40fa32804307ea5612c10cef1e8800cd83b6813
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 31F0C231741218BBEB11AFA1EC01AAE3B66EF88711F9005BABC4926150CE716D2096C8
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 004170F1 Relevance: 1.5, APIs: 1, Instructions: 34COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                  • Part of subcall function 004119FB: EnterCriticalSection.KERNEL32(?,?,00416AB9,?,00437EC8,00000008,00416B87,?,?,?), ref: 00411A0A
                                                                                                                                                                                                                                • EnumSystemLocalesW.KERNEL32(Function_000170AB,00000001,00437F48,0000000C), ref: 00417129
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3315694164.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: CriticalEnterEnumLocalesSectionSystem
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1272433827-0
                                                                                                                                                                                                                                • Opcode ID: 7d14fc4c37ba5c1eb5f5789ac7718501883f28f806716e35bc2b7c397605f316
                                                                                                                                                                                                                                • Instruction ID: 478c96efee8cf35dcbe40c2a7d162aedb82ec0696934307ef213c81b3e450308
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7d14fc4c37ba5c1eb5f5789ac7718501883f28f806716e35bc2b7c397605f316
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 82F03C72A90200AFDB14EF69D846B9D3BF0AB04724F10526AF414DB2E6CB788990CB49
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 049B7358 Relevance: 1.5, APIs: 1, Instructions: 34COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                  • Part of subcall function 049B1C62: RtlEnterCriticalSection.NTDLL(?), ref: 049B1C71
                                                                                                                                                                                                                                • EnumSystemLocalesW.KERNEL32(004170AB,00000001,00437F48,0000000C), ref: 049B7390
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3337248481.00000000049A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_49a0000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: CriticalEnterEnumLocalesSectionSystem
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1272433827-0
                                                                                                                                                                                                                                • Opcode ID: 7d14fc4c37ba5c1eb5f5789ac7718501883f28f806716e35bc2b7c397605f316
                                                                                                                                                                                                                                • Instruction ID: bbfbaa9a7d794f32d35b6c3791becca2341f0d62839b05ebd26f11af9591b811
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7d14fc4c37ba5c1eb5f5789ac7718501883f28f806716e35bc2b7c397605f316
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: DEF04F72A903049FE715EF68D945B9D37F0FB44714F105279E844DB2E4CBB459508B89
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 004201AB Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                  • Part of subcall function 00416D19: GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
                                                                                                                                                                                                                                  • Part of subcall function 00416D19: _free.LIBCMT ref: 00416D50
                                                                                                                                                                                                                                  • Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D91
                                                                                                                                                                                                                                  • Part of subcall function 00416D19: _abort.LIBCMT ref: 00416D97
                                                                                                                                                                                                                                • EnumSystemLocalesW.KERNEL32(00420102,00000001), ref: 004201E2
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3315694164.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1084509184-0
                                                                                                                                                                                                                                • Opcode ID: dc6ba866eb16a0e8202ac78c3c659fb354344be393a1c2857dc08766edbf3baa
                                                                                                                                                                                                                                • Instruction ID: db6231e4cc46389b928d3f68502c6f4218c27f8c43fece57adf930b758dd991b
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: dc6ba866eb16a0e8202ac78c3c659fb354344be393a1c2857dc08766edbf3baa
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 44F0553A30022457CB089F3AEC0567A7FD1FFC1714B46005EEA058B282C6BAD853CB98
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 049C0412 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                  • Part of subcall function 049B6F80: GetLastError.KERNEL32(?,?,049AE697,?,?,?,049AED94,?), ref: 049B6F84
                                                                                                                                                                                                                                  • Part of subcall function 049B6F80: _free.LIBCMT ref: 049B6FB7
                                                                                                                                                                                                                                  • Part of subcall function 049B6F80: SetLastError.KERNEL32(00000000), ref: 049B6FF8
                                                                                                                                                                                                                                  • Part of subcall function 049B6F80: _abort.LIBCMT ref: 049B6FFE
                                                                                                                                                                                                                                • EnumSystemLocalesW.KERNEL32(00420102,00000001), ref: 049C0449
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3337248481.00000000049A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_49a0000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1084509184-0
                                                                                                                                                                                                                                • Opcode ID: dc6ba866eb16a0e8202ac78c3c659fb354344be393a1c2857dc08766edbf3baa
                                                                                                                                                                                                                                • Instruction ID: 7a553a9ca635185df9a8165647e79e94f46211e153639b83d4e27e2616e09523
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: dc6ba866eb16a0e8202ac78c3c659fb354344be393a1c2857dc08766edbf3baa
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1EF0553630020497CB049F79DC0577B7F94FFC1714F46006DEA498B282C631A843C790
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 00409C06 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • SetUnhandledExceptionFilter.KERNEL32(Function_00009C12,00409378), ref: 00409C0B
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3315694164.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ExceptionFilterUnhandled
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 3192549508-0
                                                                                                                                                                                                                                • Opcode ID: 37a89dbd94a541d6949a367454bd87e5f81fc4fb93678faef82d160b6c7e219e
                                                                                                                                                                                                                                • Instruction ID: 45d68350dde52a3f41bb3cfd9e0ee1303ce9557964324acffd0e2deaa38d85f0
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 37a89dbd94a541d6949a367454bd87e5f81fc4fb93678faef82d160b6c7e219e
                                                                                                                                                                                                                                • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 049A9E6D Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • SetUnhandledExceptionFilter.KERNEL32(00409C12,049A95DF), ref: 049A9E72
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3337248481.00000000049A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_49a0000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ExceptionFilterUnhandled
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 3192549508-0
                                                                                                                                                                                                                                • Opcode ID: 37a89dbd94a541d6949a367454bd87e5f81fc4fb93678faef82d160b6c7e219e
                                                                                                                                                                                                                                • Instruction ID: 45d68350dde52a3f41bb3cfd9e0ee1303ce9557964324acffd0e2deaa38d85f0
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 37a89dbd94a541d6949a367454bd87e5f81fc4fb93678faef82d160b6c7e219e
                                                                                                                                                                                                                                • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 00420AEA Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3315694164.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: HeapProcess
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 54951025-0
                                                                                                                                                                                                                                • Opcode ID: 08acb3965b4031bea61f5245200d95e2e98c400d10a9d016c552db6a4b8cc508
                                                                                                                                                                                                                                • Instruction ID: dcfa98a66e4e9bf543eb7ea8158f1a80588cd166686440bcbd93925ea0cb4c42
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 08acb3965b4031bea61f5245200d95e2e98c400d10a9d016c552db6a4b8cc508
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 11A02430701100CF73104F305D4470C37D55D441D134D003C5004C0030DF3040D4D70D
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 02F1F06B Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3336518839.0000000002F1E000.00000040.00000020.00020000.00000000.sdmp, Offset: 02F1E000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_2f1e000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                                                                                                                                                                                • Instruction ID: af8cf2d1c07b9df474c1408f20be214e3105ab339cff6c472099303436dc7ac2
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4711CE72340200AFE700DF55DC80FA273EAEB98760B598165EE09CB756E676E802CB60
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 049A0D90 Relevance: .0, Instructions: 43COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3337248481.00000000049A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_49a0000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                                                                                                                                                                                                • Instruction ID: 08bf4ebb94c0f538efd1de4de9913848979eb4e2ae1fbc4f53616679c6c078d3
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5001A277A016049FDF21CF24C808BAA33E9EB86216F5544B9E90A9B281E774B9518BD0
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 00411F6A Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3315694164.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: _free$Info
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 2509303402-0
                                                                                                                                                                                                                                • Opcode ID: 9d037bec24c39842fdb41d63d06b61860568da7267ea86be451b4e4681316e80
                                                                                                                                                                                                                                • Instruction ID: 8ae6142132af87c7e5682a7a588f5480999d86aced5f895244e8bf3117bae5a7
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 9d037bec24c39842fdb41d63d06b61860568da7267ea86be451b4e4681316e80
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0DB1C171900309AFDB10DF65C881BEEBBF5BF48304F14416EF959E7242D7B9A8918B64
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 049B21D1 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3337248481.00000000049A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_49a0000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: _free$Info
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 2509303402-0
                                                                                                                                                                                                                                • Opcode ID: e97052e7d5d39c2e49c6ef11ebcd5deb8362bed3d67f9f3722abe09ca1aa8c7f
                                                                                                                                                                                                                                • Instruction ID: 8331340fea7f2ffa8c7bf94e1e5268b9fc83ca2ea3728e75efb89ea182da6b84
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e97052e7d5d39c2e49c6ef11ebcd5deb8362bed3d67f9f3722abe09ca1aa8c7f
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 58B1BF719002059FEB21DFB4C984BEEBBB9FF49304F1440B9E995AB241DB75B841CBA1
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 0041F521 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • ___free_lconv_mon.LIBCMT ref: 0041F565
                                                                                                                                                                                                                                  • Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E8D1
                                                                                                                                                                                                                                  • Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E8E3
                                                                                                                                                                                                                                  • Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E8F5
                                                                                                                                                                                                                                  • Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E907
                                                                                                                                                                                                                                  • Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E919
                                                                                                                                                                                                                                  • Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E92B
                                                                                                                                                                                                                                  • Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E93D
                                                                                                                                                                                                                                  • Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E94F
                                                                                                                                                                                                                                  • Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E961
                                                                                                                                                                                                                                  • Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E973
                                                                                                                                                                                                                                  • Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E985
                                                                                                                                                                                                                                  • Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E997
                                                                                                                                                                                                                                  • Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E9A9
                                                                                                                                                                                                                                • _free.LIBCMT ref: 0041F55A
                                                                                                                                                                                                                                  • Part of subcall function 0041629A: RtlFreeHeap.NTDLL(00000000,00000000,?,0041F021,?,00000000,?,00000000,?,0041F2C5,?,00000007,?,?,0041F6B9,?), ref: 004162B0
                                                                                                                                                                                                                                  • Part of subcall function 0041629A: GetLastError.KERNEL32(?,?,0041F021,?,00000000,?,00000000,?,0041F2C5,?,00000007,?,?,0041F6B9,?,?), ref: 004162C2
                                                                                                                                                                                                                                • _free.LIBCMT ref: 0041F57C
                                                                                                                                                                                                                                • _free.LIBCMT ref: 0041F591
                                                                                                                                                                                                                                • _free.LIBCMT ref: 0041F59C
                                                                                                                                                                                                                                • _free.LIBCMT ref: 0041F5BE
                                                                                                                                                                                                                                • _free.LIBCMT ref: 0041F5D1
                                                                                                                                                                                                                                • _free.LIBCMT ref: 0041F5DF
                                                                                                                                                                                                                                • _free.LIBCMT ref: 0041F5EA
                                                                                                                                                                                                                                • _free.LIBCMT ref: 0041F622
                                                                                                                                                                                                                                • _free.LIBCMT ref: 0041F629
                                                                                                                                                                                                                                • _free.LIBCMT ref: 0041F646
                                                                                                                                                                                                                                • _free.LIBCMT ref: 0041F65E
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3315694164.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 161543041-0
                                                                                                                                                                                                                                • Opcode ID: b9175880c53cb61b75c7f783674dde5ef8178fe79d68c96236a7112e5c5498ca
                                                                                                                                                                                                                                • Instruction ID: 316693fb469aea39a39253a8fd8e6cc64fc1a93db8be5688e07109e7d5df04fe
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: b9175880c53cb61b75c7f783674dde5ef8178fe79d68c96236a7112e5c5498ca
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 33316C71500700AFEB20AE7AE845BD773E9FF44318F15446BE849D7262DA79ECC68A18
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 049BF788 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • ___free_lconv_mon.LIBCMT ref: 049BF7CC
                                                                                                                                                                                                                                  • Part of subcall function 049BEB1B: _free.LIBCMT ref: 049BEB38
                                                                                                                                                                                                                                  • Part of subcall function 049BEB1B: _free.LIBCMT ref: 049BEB4A
                                                                                                                                                                                                                                  • Part of subcall function 049BEB1B: _free.LIBCMT ref: 049BEB5C
                                                                                                                                                                                                                                  • Part of subcall function 049BEB1B: _free.LIBCMT ref: 049BEB6E
                                                                                                                                                                                                                                  • Part of subcall function 049BEB1B: _free.LIBCMT ref: 049BEB80
                                                                                                                                                                                                                                  • Part of subcall function 049BEB1B: _free.LIBCMT ref: 049BEB92
                                                                                                                                                                                                                                  • Part of subcall function 049BEB1B: _free.LIBCMT ref: 049BEBA4
                                                                                                                                                                                                                                  • Part of subcall function 049BEB1B: _free.LIBCMT ref: 049BEBB6
                                                                                                                                                                                                                                  • Part of subcall function 049BEB1B: _free.LIBCMT ref: 049BEBC8
                                                                                                                                                                                                                                  • Part of subcall function 049BEB1B: _free.LIBCMT ref: 049BEBDA
                                                                                                                                                                                                                                  • Part of subcall function 049BEB1B: _free.LIBCMT ref: 049BEBEC
                                                                                                                                                                                                                                  • Part of subcall function 049BEB1B: _free.LIBCMT ref: 049BEBFE
                                                                                                                                                                                                                                  • Part of subcall function 049BEB1B: _free.LIBCMT ref: 049BEC10
                                                                                                                                                                                                                                • _free.LIBCMT ref: 049BF7C1
                                                                                                                                                                                                                                  • Part of subcall function 049B6501: HeapFree.KERNEL32(00000000,00000000,?,049BF288,?,00000000,?,00000000,?,049BF52C,?,00000007,?,?,049BF920,?), ref: 049B6517
                                                                                                                                                                                                                                  • Part of subcall function 049B6501: GetLastError.KERNEL32(?,?,049BF288,?,00000000,?,00000000,?,049BF52C,?,00000007,?,?,049BF920,?,?), ref: 049B6529
                                                                                                                                                                                                                                • _free.LIBCMT ref: 049BF7E3
                                                                                                                                                                                                                                • _free.LIBCMT ref: 049BF7F8
                                                                                                                                                                                                                                • _free.LIBCMT ref: 049BF803
                                                                                                                                                                                                                                • _free.LIBCMT ref: 049BF825
                                                                                                                                                                                                                                • _free.LIBCMT ref: 049BF838
                                                                                                                                                                                                                                • _free.LIBCMT ref: 049BF846
                                                                                                                                                                                                                                • _free.LIBCMT ref: 049BF851
                                                                                                                                                                                                                                • _free.LIBCMT ref: 049BF889
                                                                                                                                                                                                                                • _free.LIBCMT ref: 049BF890
                                                                                                                                                                                                                                • _free.LIBCMT ref: 049BF8AD
                                                                                                                                                                                                                                • _free.LIBCMT ref: 049BF8C5
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3337248481.00000000049A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_49a0000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 161543041-0
                                                                                                                                                                                                                                • Opcode ID: b9175880c53cb61b75c7f783674dde5ef8178fe79d68c96236a7112e5c5498ca
                                                                                                                                                                                                                                • Instruction ID: 41ffcec3a3caa8161d5ad9816a8ac71e7702d5bb8895244aa3338f61fc649f8a
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: b9175880c53cb61b75c7f783674dde5ef8178fe79d68c96236a7112e5c5498ca
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B9315B326002019FEB30AA78DE84BDAB3E9EF81714F108479E4DAD6154DF72F950C792
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 0041E9B2 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3315694164.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: _free
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 269201875-0
                                                                                                                                                                                                                                • Opcode ID: ede1a756fe7c81b57652e01e6694f4d5898de535ff9c24b5680a7aebf79362e9
                                                                                                                                                                                                                                • Instruction ID: 728dd4b73fa8875da2944d3c1161fea0547f625c3b5c38e136dc442d3870b7dc
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ede1a756fe7c81b57652e01e6694f4d5898de535ff9c24b5680a7aebf79362e9
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 63C16376D40204BBDB20DFA9CC43FDA77F8AB48744F15416AFE05EB282E6749D818794
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 00423226 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 154COMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,0042422F), ref: 00423249
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3315694164.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: DecodePointer
                                                                                                                                                                                                                                • String ID: /BB$acos$asin$exp$log$log10$pow$sqrt
                                                                                                                                                                                                                                • API String ID: 3527080286-1021189420
                                                                                                                                                                                                                                • Opcode ID: 88552b8886f88d94b8d1bbcc7aafbfab123f3002aa15034899b0489058aea16a
                                                                                                                                                                                                                                • Instruction ID: 5f418b0c94ccf72204288f9fbe243b868e613e1cea8606976bda72b47a9d9e27
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 88552b8886f88d94b8d1bbcc7aafbfab123f3002aa15034899b0489058aea16a
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 06518E70B00529CBDB10DFA9F9481AD7BB0FB49305FE44197E881A6254CB7D8B65CB2D
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 00416C25 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • _free.LIBCMT ref: 00416C39
                                                                                                                                                                                                                                  • Part of subcall function 0041629A: RtlFreeHeap.NTDLL(00000000,00000000,?,0041F021,?,00000000,?,00000000,?,0041F2C5,?,00000007,?,?,0041F6B9,?), ref: 004162B0
                                                                                                                                                                                                                                  • Part of subcall function 0041629A: GetLastError.KERNEL32(?,?,0041F021,?,00000000,?,00000000,?,0041F2C5,?,00000007,?,?,0041F6B9,?,?), ref: 004162C2
                                                                                                                                                                                                                                • _free.LIBCMT ref: 00416C45
                                                                                                                                                                                                                                • _free.LIBCMT ref: 00416C50
                                                                                                                                                                                                                                • _free.LIBCMT ref: 00416C5B
                                                                                                                                                                                                                                • _free.LIBCMT ref: 00416C66
                                                                                                                                                                                                                                • _free.LIBCMT ref: 00416C71
                                                                                                                                                                                                                                • _free.LIBCMT ref: 00416C7C
                                                                                                                                                                                                                                • _free.LIBCMT ref: 00416C87
                                                                                                                                                                                                                                • _free.LIBCMT ref: 00416C92
                                                                                                                                                                                                                                • _free.LIBCMT ref: 00416CA0
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3315694164.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 776569668-0
                                                                                                                                                                                                                                • Opcode ID: b4e3df1a2592718950074ff961ccd1fa3b04f250d0db4e1414e8dc6a3248423b
                                                                                                                                                                                                                                • Instruction ID: 425b14d8582b8484cae793816d5f4fa8e3af98928aded5048720e3a5ca7bcabf
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: b4e3df1a2592718950074ff961ccd1fa3b04f250d0db4e1414e8dc6a3248423b
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B311E976100218BFDF01FF95D952DD93B65EF48358B4280AAFD088F222DA35EE919B84
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 049B6E8C Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • _free.LIBCMT ref: 049B6EA0
                                                                                                                                                                                                                                  • Part of subcall function 049B6501: HeapFree.KERNEL32(00000000,00000000,?,049BF288,?,00000000,?,00000000,?,049BF52C,?,00000007,?,?,049BF920,?), ref: 049B6517
                                                                                                                                                                                                                                  • Part of subcall function 049B6501: GetLastError.KERNEL32(?,?,049BF288,?,00000000,?,00000000,?,049BF52C,?,00000007,?,?,049BF920,?,?), ref: 049B6529
                                                                                                                                                                                                                                • _free.LIBCMT ref: 049B6EAC
                                                                                                                                                                                                                                • _free.LIBCMT ref: 049B6EB7
                                                                                                                                                                                                                                • _free.LIBCMT ref: 049B6EC2
                                                                                                                                                                                                                                • _free.LIBCMT ref: 049B6ECD
                                                                                                                                                                                                                                • _free.LIBCMT ref: 049B6ED8
                                                                                                                                                                                                                                • _free.LIBCMT ref: 049B6EE3
                                                                                                                                                                                                                                • _free.LIBCMT ref: 049B6EEE
                                                                                                                                                                                                                                • _free.LIBCMT ref: 049B6EF9
                                                                                                                                                                                                                                • _free.LIBCMT ref: 049B6F07
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3337248481.00000000049A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_49a0000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 776569668-0
                                                                                                                                                                                                                                • Opcode ID: b4e3df1a2592718950074ff961ccd1fa3b04f250d0db4e1414e8dc6a3248423b
                                                                                                                                                                                                                                • Instruction ID: 7c6040527e50687947d58a5f71d497b5ca04023fed903145fa615603548af91e
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: b4e3df1a2592718950074ff961ccd1fa3b04f250d0db4e1414e8dc6a3248423b
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5811D775100008BFDB11EF94CA40CD93BA5EF55758B0184B1FA488B124DA72FE60DB82
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 004011B0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 105COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • __EH_prolog.LIBCMT ref: 004011B5
                                                                                                                                                                                                                                • std::_Lockit::_Lockit.LIBCPMT ref: 004011C7
                                                                                                                                                                                                                                • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00401204
                                                                                                                                                                                                                                  • Part of subcall function 00407E7A: _Yarn.LIBCPMT ref: 00407E99
                                                                                                                                                                                                                                  • Part of subcall function 00407E7A: _Yarn.LIBCPMT ref: 00407EBD
                                                                                                                                                                                                                                • std::bad_exception::bad_exception.LIBCMT ref: 00401225
                                                                                                                                                                                                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 00401233
                                                                                                                                                                                                                                • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00401256
                                                                                                                                                                                                                                • std::_Lockit::~_Lockit.LIBCPMT ref: 004012C7
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3315694164.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: std::_$Locinfo::_LockitYarn$Exception@8H_prologLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_Throwstd::bad_exception::bad_exception
                                                                                                                                                                                                                                • String ID: bad locale name
                                                                                                                                                                                                                                • API String ID: 835844855-1405518554
                                                                                                                                                                                                                                • Opcode ID: 5bb5d50ea43f12d9519b4ce9e87ae728e2dc9a994e3de2c5b5b0931fcb6b1e5a
                                                                                                                                                                                                                                • Instruction ID: 9bdc7579a9a3bc6ca601cd004726ed2944731520d9260611c740ec4211b797ca
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5bb5d50ea43f12d9519b4ce9e87ae728e2dc9a994e3de2c5b5b0931fcb6b1e5a
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5D319F31904B40DEC731AF6AD941A5BFBF4BF08714B508A7FE04AA3AA1C738B504CB59
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 049A43F0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 59COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • __EH_prolog.LIBCMT ref: 049A43F5
                                                                                                                                                                                                                                • std::_Lockit::_Lockit.LIBCPMT ref: 049A4404
                                                                                                                                                                                                                                • int.LIBCPMT ref: 049A441B
                                                                                                                                                                                                                                  • Part of subcall function 049A157F: std::_Lockit::_Lockit.LIBCPMT ref: 049A1590
                                                                                                                                                                                                                                  • Part of subcall function 049A157F: std::_Lockit::~_Lockit.LIBCPMT ref: 049A15AA
                                                                                                                                                                                                                                • std::locale::_Getfacet.LIBCPMT ref: 049A4424
                                                                                                                                                                                                                                • std::_Facet_Register.LIBCPMT ref: 049A4455
                                                                                                                                                                                                                                • std::_Lockit::~_Lockit.LIBCPMT ref: 049A446B
                                                                                                                                                                                                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 049A4491
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3337248481.00000000049A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_49a0000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologRegisterThrowstd::locale::_
                                                                                                                                                                                                                                • String ID: _vB
                                                                                                                                                                                                                                • API String ID: 1202896665-2031504979
                                                                                                                                                                                                                                • Opcode ID: fc346c96f50ffa0ae8417ee06a27fb1f11bc101e5f50617f2bcd0e538bf8945f
                                                                                                                                                                                                                                • Instruction ID: 277c7309fba470eaccd2a62f26832c7b919553be32ed625d442fb9be69369aa7
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: fc346c96f50ffa0ae8417ee06a27fb1f11bc101e5f50617f2bcd0e538bf8945f
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 651127329001188BDB05EBA4DC01AEDB7B9EFC4358F14047EE815A7290DB70FA11CBE1
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 049A3651 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 57COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • __EH_prolog.LIBCMT ref: 049A3656
                                                                                                                                                                                                                                • std::_Lockit::_Lockit.LIBCPMT ref: 049A3665
                                                                                                                                                                                                                                • int.LIBCPMT ref: 049A367C
                                                                                                                                                                                                                                  • Part of subcall function 049A157F: std::_Lockit::_Lockit.LIBCPMT ref: 049A1590
                                                                                                                                                                                                                                  • Part of subcall function 049A157F: std::_Lockit::~_Lockit.LIBCPMT ref: 049A15AA
                                                                                                                                                                                                                                • std::locale::_Getfacet.LIBCPMT ref: 049A3685
                                                                                                                                                                                                                                • std::_Facet_Register.LIBCPMT ref: 049A36B6
                                                                                                                                                                                                                                • std::_Lockit::~_Lockit.LIBCPMT ref: 049A36CC
                                                                                                                                                                                                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 049A36F2
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3337248481.00000000049A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_49a0000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologRegisterThrowstd::locale::_
                                                                                                                                                                                                                                • String ID: _vB
                                                                                                                                                                                                                                • API String ID: 1202896665-2031504979
                                                                                                                                                                                                                                • Opcode ID: 24ac42d491a15661983952bfe5964fcfc5bf883f37f088e85fec32acd73a0a07
                                                                                                                                                                                                                                • Instruction ID: 1a6394f28eb91bf9f3c89cb3330dc9f3a470ec450bbec6def6aad925e1f64743
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 24ac42d491a15661983952bfe5964fcfc5bf883f37f088e85fec32acd73a0a07
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 051106729001249BDB15EFA4C806AEE7779EFC4354F18047AE811A7290DB74AA10C7D1
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 049A385C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 57COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • __EH_prolog.LIBCMT ref: 049A3861
                                                                                                                                                                                                                                • std::_Lockit::_Lockit.LIBCPMT ref: 049A3870
                                                                                                                                                                                                                                • int.LIBCPMT ref: 049A3887
                                                                                                                                                                                                                                  • Part of subcall function 049A157F: std::_Lockit::_Lockit.LIBCPMT ref: 049A1590
                                                                                                                                                                                                                                  • Part of subcall function 049A157F: std::_Lockit::~_Lockit.LIBCPMT ref: 049A15AA
                                                                                                                                                                                                                                • std::locale::_Getfacet.LIBCPMT ref: 049A3890
                                                                                                                                                                                                                                • std::_Facet_Register.LIBCPMT ref: 049A38C1
                                                                                                                                                                                                                                • std::_Lockit::~_Lockit.LIBCPMT ref: 049A38D7
                                                                                                                                                                                                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 049A38FD
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3337248481.00000000049A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_49a0000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologRegisterThrowstd::locale::_
                                                                                                                                                                                                                                • String ID: _vB
                                                                                                                                                                                                                                • API String ID: 1202896665-2031504979
                                                                                                                                                                                                                                • Opcode ID: 3d358693115aeff1749e0ee4b38daaf9f72a0ca6830b75372d93bcd920b392a7
                                                                                                                                                                                                                                • Instruction ID: d6c5d2d2fab64dd1c190525c116ac08f437db0551ff78cd3e51053f68bcbce58
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3d358693115aeff1749e0ee4b38daaf9f72a0ca6830b75372d93bcd920b392a7
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7A110672E001249BDB15EBA8C805AEDB779EFC4758F14047AE811A7290DF74EA14CBD2
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 049B9514 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3337248481.00000000049A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_49a0000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 1c333506b60f9a2cbe16c25422fb5c8dc001c6824b257e592f442b80053a19a3
                                                                                                                                                                                                                                • Instruction ID: 3006d8287b6cae361a5103408ca51f8dc2a0dcd7f71cc8485dc5f35be3c8443c
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 1c333506b60f9a2cbe16c25422fb5c8dc001c6824b257e592f442b80053a19a3
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5FC1C4B0A142499FDF11DFA8CA84BED7BF4AF4A314F0845A4DAC0A7391C774A941CFA5
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 00414A4A Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                  • Part of subcall function 00416D19: GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
                                                                                                                                                                                                                                  • Part of subcall function 00416D19: _free.LIBCMT ref: 00416D50
                                                                                                                                                                                                                                  • Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D91
                                                                                                                                                                                                                                  • Part of subcall function 00416D19: _abort.LIBCMT ref: 00416D97
                                                                                                                                                                                                                                • _memcmp.LIBVCRUNTIME ref: 00414CF4
                                                                                                                                                                                                                                • _free.LIBCMT ref: 00414D65
                                                                                                                                                                                                                                • _free.LIBCMT ref: 00414D7E
                                                                                                                                                                                                                                • _free.LIBCMT ref: 00414DB0
                                                                                                                                                                                                                                • _free.LIBCMT ref: 00414DB9
                                                                                                                                                                                                                                • _free.LIBCMT ref: 00414DC5
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3315694164.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: _free$ErrorLast$_abort_memcmp
                                                                                                                                                                                                                                • String ID: C
                                                                                                                                                                                                                                • API String ID: 1679612858-1037565863
                                                                                                                                                                                                                                • Opcode ID: 8f87c09ea476144f3408270848766069dd2a72959f888511d1f2eb11bfac3621
                                                                                                                                                                                                                                • Instruction ID: af268d229fb851bfdfa469d3d7016fc6fe3b7b40d7c0f50ff16bf374563e7c73
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8f87c09ea476144f3408270848766069dd2a72959f888511d1f2eb11bfac3621
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7CB12975A016199BDB24DF18D884BEEB7B4FF88304F6045AAE809A7350E735AED1CF44
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 049B4CB1 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                  • Part of subcall function 049B6F80: GetLastError.KERNEL32(?,?,049AE697,?,?,?,049AED94,?), ref: 049B6F84
                                                                                                                                                                                                                                  • Part of subcall function 049B6F80: _free.LIBCMT ref: 049B6FB7
                                                                                                                                                                                                                                  • Part of subcall function 049B6F80: SetLastError.KERNEL32(00000000), ref: 049B6FF8
                                                                                                                                                                                                                                  • Part of subcall function 049B6F80: _abort.LIBCMT ref: 049B6FFE
                                                                                                                                                                                                                                • _memcmp.LIBVCRUNTIME ref: 049B4F5B
                                                                                                                                                                                                                                • _free.LIBCMT ref: 049B4FCC
                                                                                                                                                                                                                                • _free.LIBCMT ref: 049B4FE5
                                                                                                                                                                                                                                • _free.LIBCMT ref: 049B5017
                                                                                                                                                                                                                                • _free.LIBCMT ref: 049B5020
                                                                                                                                                                                                                                • _free.LIBCMT ref: 049B502C
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3337248481.00000000049A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_49a0000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: _free$ErrorLast$_abort_memcmp
                                                                                                                                                                                                                                • String ID: C
                                                                                                                                                                                                                                • API String ID: 1679612858-1037565863
                                                                                                                                                                                                                                • Opcode ID: 2dcdab9ff37da07fbf13cf7196123cc144f196f64e2833b55e76e053da9afdf4
                                                                                                                                                                                                                                • Instruction ID: 4a4c8230e95ed9dac8b8627b621b8f59315fa95b196210839550a75693a2313e
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 2dcdab9ff37da07fbf13cf7196123cc144f196f64e2833b55e76e053da9afdf4
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 73B13975A012199FDB24DF18C988AEDB7B5FF48304F1045AAD989A7351E731BE90CF80
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 0041673F Relevance: 12.2, APIs: 8, Instructions: 216COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,0040F850,0040F850,?,?,?,00416990,00000001,00000001,F5E85006), ref: 00416799
                                                                                                                                                                                                                                • __alloca_probe_16.LIBCMT ref: 004167D1
                                                                                                                                                                                                                                • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00416990,00000001,00000001,F5E85006,?,?,?), ref: 0041681F
                                                                                                                                                                                                                                • __alloca_probe_16.LIBCMT ref: 004168B6
                                                                                                                                                                                                                                • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,F5E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00416919
                                                                                                                                                                                                                                • __freea.LIBCMT ref: 00416926
                                                                                                                                                                                                                                  • Part of subcall function 00417A45: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0041B3A4,00000000,?,00410DD1,?,00000008,?,0041197C,?,?,?), ref: 00417A77
                                                                                                                                                                                                                                • __freea.LIBCMT ref: 0041692F
                                                                                                                                                                                                                                • __freea.LIBCMT ref: 00416954
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3315694164.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 3864826663-0
                                                                                                                                                                                                                                • Opcode ID: f9eec1d03ef488200257542b3a30a4a1c023565d73c6751b204851a68cbc467a
                                                                                                                                                                                                                                • Instruction ID: 3d3e7015d1c5c7bc026f1fbb08fe6865a4c6ffd2cfadb9c0ba95752873af972a
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f9eec1d03ef488200257542b3a30a4a1c023565d73c6751b204851a68cbc467a
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4751F5B2610216ABDB259F65CC41EFF7BA9EF40754F16462EFD04D6280DB38DC80C668
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 0041EDD7 Relevance: 10.7, APIs: 7, Instructions: 204COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3315694164.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: _free
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 269201875-0
                                                                                                                                                                                                                                • Opcode ID: e68a25c084fc20a1e1d7f08a61fe8f3dbfc97445b378353a219a7845841ba709
                                                                                                                                                                                                                                • Instruction ID: 73c135ea74765e4518f9d8ef1c60bb5e0d099e6adef79961ba2dbed29d3485ac
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e68a25c084fc20a1e1d7f08a61fe8f3dbfc97445b378353a219a7845841ba709
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8C61A076904305AFDB20DF66C842BDABBF4EF48710F1441ABEC45EB281D7749D828B98
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 049BF03E Relevance: 10.7, APIs: 7, Instructions: 204COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3337248481.00000000049A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_49a0000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: _free
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 269201875-0
                                                                                                                                                                                                                                • Opcode ID: f8833a0de0791504dabcccc7c771c2f5db8e414cd847f9ac854e63f406939190
                                                                                                                                                                                                                                • Instruction ID: f3ad225d7b3ebd5a0bbfd890c132c22b732102f0bb9d7946f7911baa349dbda2
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f8833a0de0791504dabcccc7c771c2f5db8e414cd847f9ac854e63f406939190
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 13619275900205AFEB20DFA8CD40BDABBF5EB85710F14457AE984EB385DA70B9418BD0
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 00415A13 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • GetConsoleCP.KERNEL32(?,?,?,?,?,?,?,?,?,00416188,?,?,?,?,?,?), ref: 00415A55
                                                                                                                                                                                                                                • __fassign.LIBCMT ref: 00415AD0
                                                                                                                                                                                                                                • __fassign.LIBCMT ref: 00415AEB
                                                                                                                                                                                                                                • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,?,00000005,00000000,00000000), ref: 00415B11
                                                                                                                                                                                                                                • WriteFile.KERNEL32(?,?,00000000,00416188,00000000,?,?,?,?,?,?,?,?,?,00416188,?), ref: 00415B30
                                                                                                                                                                                                                                • WriteFile.KERNEL32(?,?,00000001,00416188,00000000,?,?,?,?,?,?,?,?,?,00416188,?), ref: 00415B69
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3315694164.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1324828854-0
                                                                                                                                                                                                                                • Opcode ID: ae6401f21b7801d045f97308b9b06165aa02294ae80e5cf11490d6b3e53dbacb
                                                                                                                                                                                                                                • Instruction ID: 407e3908cef374265deb6243eed94e9e176cff0c31ef9f6c7349134872b618e9
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ae6401f21b7801d045f97308b9b06165aa02294ae80e5cf11490d6b3e53dbacb
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 725105B0A04608DFDB10CFA8D881AEEBBF8EF49310F14416BE955F3251D774A981CB69
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 049B5C7A Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • GetConsoleCP.KERNEL32(?,?,?,?,?,?,?,?,?,049B63EF,?,?,?,?,?,?), ref: 049B5CBC
                                                                                                                                                                                                                                • __fassign.LIBCMT ref: 049B5D37
                                                                                                                                                                                                                                • __fassign.LIBCMT ref: 049B5D52
                                                                                                                                                                                                                                • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,?,00000005,00000000,00000000), ref: 049B5D78
                                                                                                                                                                                                                                • WriteFile.KERNEL32(?,?,00000000,049B63EF,00000000,?,?,?,?,?,?,?,?,?,049B63EF,?), ref: 049B5D97
                                                                                                                                                                                                                                • WriteFile.KERNEL32(?,?,00000001,049B63EF,00000000,?,?,?,?,?,?,?,?,?,049B63EF,?), ref: 049B5DD0
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3337248481.00000000049A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_49a0000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1324828854-0
                                                                                                                                                                                                                                • Opcode ID: bcc7f49e5f9acd1ab4da29e29a7effa70e0c752b6185b76a6d92c3c1d252d699
                                                                                                                                                                                                                                • Instruction ID: 8c0fa287c80cfb5797680772a2b3201819cdcd0b36772a3bf59a506f85345d74
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: bcc7f49e5f9acd1ab4da29e29a7effa70e0c752b6185b76a6d92c3c1d252d699
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 10510770A00245BFDB10CFA8DD84AEEBBF8EF48314F15456AE585F7250E730A951CBA0
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 0040C7B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • _ValidateLocalCookies.LIBCMT ref: 0040C7DB
                                                                                                                                                                                                                                • ___except_validate_context_record.LIBVCRUNTIME ref: 0040C7E3
                                                                                                                                                                                                                                • _ValidateLocalCookies.LIBCMT ref: 0040C871
                                                                                                                                                                                                                                • __IsNonwritableInCurrentImage.LIBCMT ref: 0040C89C
                                                                                                                                                                                                                                • _ValidateLocalCookies.LIBCMT ref: 0040C8F1
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3315694164.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                                                                                                                                                • String ID: csm
                                                                                                                                                                                                                                • API String ID: 1170836740-1018135373
                                                                                                                                                                                                                                • Opcode ID: 796a0128d9dbb3bf8459a97561fbccceb7ea0ac6e0ba9330f3f48fee75113795
                                                                                                                                                                                                                                • Instruction ID: 3eebbe8c3ad0fa61f276611c5937d4e28261350d7e8d9123906714334ee199f9
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 796a0128d9dbb3bf8459a97561fbccceb7ea0ac6e0ba9330f3f48fee75113795
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 59418235E00208DBCB10EF69C880A9EBBB5AF45325F14C27BE8156B3D1D7399945CB99
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 049A1417 Relevance: 10.6, APIs: 7, Instructions: 105COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • __EH_prolog.LIBCMT ref: 049A141C
                                                                                                                                                                                                                                • std::_Lockit::_Lockit.LIBCPMT ref: 049A142E
                                                                                                                                                                                                                                • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 049A146B
                                                                                                                                                                                                                                  • Part of subcall function 049A80E1: _Yarn.LIBCPMT ref: 049A8100
                                                                                                                                                                                                                                  • Part of subcall function 049A80E1: _Yarn.LIBCPMT ref: 049A8124
                                                                                                                                                                                                                                • std::bad_exception::bad_exception.LIBCMT ref: 049A148C
                                                                                                                                                                                                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 049A149A
                                                                                                                                                                                                                                • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 049A14BD
                                                                                                                                                                                                                                • std::_Lockit::~_Lockit.LIBCPMT ref: 049A152E
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3337248481.00000000049A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_49a0000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: std::_$Locinfo::_LockitYarn$Exception@8H_prologLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_Throwstd::bad_exception::bad_exception
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 835844855-0
                                                                                                                                                                                                                                • Opcode ID: d4016aa6201875b868c5713db93660535a29781f4af20a4f0b734588d552bf06
                                                                                                                                                                                                                                • Instruction ID: f765c182612f19793781169788f430f0d75caf2257b6ae7a2812afd9a2bfefb9
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d4016aa6201875b868c5713db93660535a29781f4af20a4f0b734588d552bf06
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 30317C71800B009FD735AF69D941A5BFBF4FF88714B108A3FE08A82A40CB74B611CB99
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 049C6266 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 85registryCOMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • __EH_prolog.LIBCMT ref: 049C626B
                                                                                                                                                                                                                                • RegCreateKeyExA.ADVAPI32(80000001,SOFTWARE\BroomCleaner,00000000,00000000,00000000,000F003F,00000000,?,00000000,Installed,0043AE60,SOFTWARE\BroomCleaner), ref: 049C6293
                                                                                                                                                                                                                                • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,?,?,0043AE60,0043AE61,Installed,Installed), ref: 049C6316
                                                                                                                                                                                                                                • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,185.172.128.90,/cpa/ping.php?substr=%s&s=ab&sub=%s,?), ref: 049C6337
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3337248481.00000000049A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_49a0000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: CloseCreateH_prologValue
                                                                                                                                                                                                                                • String ID: Installed$SOFTWARE\BroomCleaner
                                                                                                                                                                                                                                • API String ID: 1996196666-529226407
                                                                                                                                                                                                                                • Opcode ID: 0c1498eeef2a83cafb83bf210d5a9b90b4b671d1f7746b808874f939b35d2cd9
                                                                                                                                                                                                                                • Instruction ID: 1381a84e6d36aec023d04e8699718f223d6b29cac8cc6cfee0e6dd1b6c2d4950
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 0c1498eeef2a83cafb83bf210d5a9b90b4b671d1f7746b808874f939b35d2cd9
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: EF31AC71A00219EFEB159FA8CC94AFEBB79FB48358F14416DE402B3241C7711D46CBA0
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 004227A8 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3315694164.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: da3a417481234f6a5cce791f459c1180441bcfe0ab5ce7d00eccf100f1f65345
                                                                                                                                                                                                                                • Instruction ID: 9c8ef9f1e7886cc92e32ce44b389b8283dd6e8511c6332daddb66b94c38c2fe8
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: da3a417481234f6a5cce791f459c1180441bcfe0ab5ce7d00eccf100f1f65345
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8E11E7726081257BDB203FB39D059AF3B6CEF92764751062EFC15D6251DEBCC88282B9
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 0041F2AC Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                  • Part of subcall function 0041EFF3: _free.LIBCMT ref: 0041F01C
                                                                                                                                                                                                                                • _free.LIBCMT ref: 0041F2FA
                                                                                                                                                                                                                                  • Part of subcall function 0041629A: RtlFreeHeap.NTDLL(00000000,00000000,?,0041F021,?,00000000,?,00000000,?,0041F2C5,?,00000007,?,?,0041F6B9,?), ref: 004162B0
                                                                                                                                                                                                                                  • Part of subcall function 0041629A: GetLastError.KERNEL32(?,?,0041F021,?,00000000,?,00000000,?,0041F2C5,?,00000007,?,?,0041F6B9,?,?), ref: 004162C2
                                                                                                                                                                                                                                • _free.LIBCMT ref: 0041F305
                                                                                                                                                                                                                                • _free.LIBCMT ref: 0041F310
                                                                                                                                                                                                                                • _free.LIBCMT ref: 0041F364
                                                                                                                                                                                                                                • _free.LIBCMT ref: 0041F36F
                                                                                                                                                                                                                                • _free.LIBCMT ref: 0041F37A
                                                                                                                                                                                                                                • _free.LIBCMT ref: 0041F385
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3315694164.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 776569668-0
                                                                                                                                                                                                                                • Opcode ID: 501a0837026fe0814ab2d6a77f43a53b196c1575d4fb2c1b0167c2d280276289
                                                                                                                                                                                                                                • Instruction ID: be7813cec9e76b844f682d4c097dbd82c10abeb52ecb146189267b1763b940f2
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 501a0837026fe0814ab2d6a77f43a53b196c1575d4fb2c1b0167c2d280276289
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1F114272541B24B6D920BB72DC07FCBB7DCBF44708F40081EBE9E66052DA7DB5868654
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 049BF513 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                  • Part of subcall function 049BF25A: _free.LIBCMT ref: 049BF283
                                                                                                                                                                                                                                • _free.LIBCMT ref: 049BF561
                                                                                                                                                                                                                                  • Part of subcall function 049B6501: HeapFree.KERNEL32(00000000,00000000,?,049BF288,?,00000000,?,00000000,?,049BF52C,?,00000007,?,?,049BF920,?), ref: 049B6517
                                                                                                                                                                                                                                  • Part of subcall function 049B6501: GetLastError.KERNEL32(?,?,049BF288,?,00000000,?,00000000,?,049BF52C,?,00000007,?,?,049BF920,?,?), ref: 049B6529
                                                                                                                                                                                                                                • _free.LIBCMT ref: 049BF56C
                                                                                                                                                                                                                                • _free.LIBCMT ref: 049BF577
                                                                                                                                                                                                                                • _free.LIBCMT ref: 049BF5CB
                                                                                                                                                                                                                                • _free.LIBCMT ref: 049BF5D6
                                                                                                                                                                                                                                • _free.LIBCMT ref: 049BF5E1
                                                                                                                                                                                                                                • _free.LIBCMT ref: 049BF5EC
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3337248481.00000000049A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_49a0000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 776569668-0
                                                                                                                                                                                                                                • Opcode ID: 501a0837026fe0814ab2d6a77f43a53b196c1575d4fb2c1b0167c2d280276289
                                                                                                                                                                                                                                • Instruction ID: 0529f035fda6cd655e4fcde18a2b800dbd0bf69ac4638c740a826ef171399c92
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 501a0837026fe0814ab2d6a77f43a53b196c1575d4fb2c1b0167c2d280276289
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A8115472540704AAFA30B7B0CD46FCBBB9D6FC5704F404836A6D9E6054DA65F9148AD1
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 00404189 Relevance: 10.6, APIs: 7, Instructions: 59COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • __EH_prolog.LIBCMT ref: 0040418E
                                                                                                                                                                                                                                • std::_Lockit::_Lockit.LIBCPMT ref: 0040419D
                                                                                                                                                                                                                                • int.LIBCPMT ref: 004041B4
                                                                                                                                                                                                                                  • Part of subcall function 00401318: std::_Lockit::_Lockit.LIBCPMT ref: 00401329
                                                                                                                                                                                                                                  • Part of subcall function 00401318: std::_Lockit::~_Lockit.LIBCPMT ref: 00401343
                                                                                                                                                                                                                                • std::locale::_Getfacet.LIBCPMT ref: 004041BD
                                                                                                                                                                                                                                • std::_Facet_Register.LIBCPMT ref: 004041EE
                                                                                                                                                                                                                                • std::_Lockit::~_Lockit.LIBCPMT ref: 00404204
                                                                                                                                                                                                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 0040422A
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3315694164.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologRegisterThrowstd::locale::_
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1202896665-0
                                                                                                                                                                                                                                • Opcode ID: fc346c96f50ffa0ae8417ee06a27fb1f11bc101e5f50617f2bcd0e538bf8945f
                                                                                                                                                                                                                                • Instruction ID: 83cc51774d47ba4475a281f6d7b020c526a0fd19fbdba44bd5d3cb2c7b641a00
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: fc346c96f50ffa0ae8417ee06a27fb1f11bc101e5f50617f2bcd0e538bf8945f
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: EC110871A001289BCB04EBA4DC06AEE7774EF84358F10057FF915772D1DB389900C7A9
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 004033EA Relevance: 10.6, APIs: 7, Instructions: 57COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • __EH_prolog.LIBCMT ref: 004033EF
                                                                                                                                                                                                                                • std::_Lockit::_Lockit.LIBCPMT ref: 004033FE
                                                                                                                                                                                                                                • int.LIBCPMT ref: 00403415
                                                                                                                                                                                                                                  • Part of subcall function 00401318: std::_Lockit::_Lockit.LIBCPMT ref: 00401329
                                                                                                                                                                                                                                  • Part of subcall function 00401318: std::_Lockit::~_Lockit.LIBCPMT ref: 00401343
                                                                                                                                                                                                                                • std::locale::_Getfacet.LIBCPMT ref: 0040341E
                                                                                                                                                                                                                                • std::_Facet_Register.LIBCPMT ref: 0040344F
                                                                                                                                                                                                                                • std::_Lockit::~_Lockit.LIBCPMT ref: 00403465
                                                                                                                                                                                                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 0040348B
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3315694164.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologRegisterThrowstd::locale::_
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1202896665-0
                                                                                                                                                                                                                                • Opcode ID: 24ac42d491a15661983952bfe5964fcfc5bf883f37f088e85fec32acd73a0a07
                                                                                                                                                                                                                                • Instruction ID: 705b121528f6e187a552e9d34ae6b3df2024d0ee7a8324a724e42d77b9682124
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 24ac42d491a15661983952bfe5964fcfc5bf883f37f088e85fec32acd73a0a07
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B311C4329001289BCB05EFA8C805AEE7B78EF84359F10452FF811772D1DB789A00CB9A
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 004035F5 Relevance: 10.6, APIs: 7, Instructions: 57COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • __EH_prolog.LIBCMT ref: 004035FA
                                                                                                                                                                                                                                • std::_Lockit::_Lockit.LIBCPMT ref: 00403609
                                                                                                                                                                                                                                • int.LIBCPMT ref: 00403620
                                                                                                                                                                                                                                  • Part of subcall function 00401318: std::_Lockit::_Lockit.LIBCPMT ref: 00401329
                                                                                                                                                                                                                                  • Part of subcall function 00401318: std::_Lockit::~_Lockit.LIBCPMT ref: 00401343
                                                                                                                                                                                                                                • std::locale::_Getfacet.LIBCPMT ref: 00403629
                                                                                                                                                                                                                                • std::_Facet_Register.LIBCPMT ref: 0040365A
                                                                                                                                                                                                                                • std::_Lockit::~_Lockit.LIBCPMT ref: 00403670
                                                                                                                                                                                                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 00403696
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3315694164.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologRegisterThrowstd::locale::_
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1202896665-0
                                                                                                                                                                                                                                • Opcode ID: 3d358693115aeff1749e0ee4b38daaf9f72a0ca6830b75372d93bcd920b392a7
                                                                                                                                                                                                                                • Instruction ID: 4997e6bde17a0f635c2d016693c2f4113915c820df16c93ef0ac66c49e5cddc6
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3d358693115aeff1749e0ee4b38daaf9f72a0ca6830b75372d93bcd920b392a7
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: DE11B232A001249BCB14EFA9C805AEE7B78AF44759F10452FF811773D1DB389A04CB99
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 049B69A6 Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,?,?,?,?,049B6BF7,00000001,00000001,?), ref: 049B6A00
                                                                                                                                                                                                                                • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,049B6BF7,00000001,00000001,?,?,?,?), ref: 049B6A86
                                                                                                                                                                                                                                • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 049B6B80
                                                                                                                                                                                                                                • __freea.LIBCMT ref: 049B6B8D
                                                                                                                                                                                                                                  • Part of subcall function 049B7CAC: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 049B7CDE
                                                                                                                                                                                                                                • __freea.LIBCMT ref: 049B6B96
                                                                                                                                                                                                                                • __freea.LIBCMT ref: 049B6BBB
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3337248481.00000000049A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_49a0000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1414292761-0
                                                                                                                                                                                                                                • Opcode ID: 0f73ec244de15a6da3a369d6d53f2abaa512a9059a296f3a28781672e1b0d4f4
                                                                                                                                                                                                                                • Instruction ID: 75bc87303b20bd4e5c9cf892a759c77542db72862d23f0ec8860cf324b062460
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 0f73ec244de15a6da3a369d6d53f2abaa512a9059a296f3a28781672e1b0d4f4
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C451DE72600226AEEB258F64CE84EFB77BAEB80764B154639EC44D6180EB34FC5086D1
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 00411A6C Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3315694164.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: __cftoe
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 4189289331-0
                                                                                                                                                                                                                                • Opcode ID: a485617db110597ec1b9df0d6f289f1fb0bfa04032b722232bc564a93a62f50a
                                                                                                                                                                                                                                • Instruction ID: a06c4f6ae663fca8f796a33128cbcfeb149533fe63f1b311835a711b56a71280
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a485617db110597ec1b9df0d6f289f1fb0bfa04032b722232bc564a93a62f50a
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4951FD72904205ABDF209B699D41EEF77A99F48364F10011FFA15962A2EB3DDD80C65C
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 049B1CD3 Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3337248481.00000000049A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_49a0000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: __cftoe
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 4189289331-0
                                                                                                                                                                                                                                • Opcode ID: e4bf59b0ec1b744cc32f8c0c94128242877339c1908a2c1c4c186e4d7dced7e5
                                                                                                                                                                                                                                • Instruction ID: d9b89ddfed0711a3c4d185b159d13c862f938f9c345cc384aff0915f24ba2e17
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e4bf59b0ec1b744cc32f8c0c94128242877339c1908a2c1c4c186e4d7dced7e5
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 9F510B72500205ABDF255F598E56AFE77ADAFC93A4F104139E854D6180DF31F940C6E4
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 0040C9B5 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • GetLastError.KERNEL32(?,?,0040C9AC,0040A25B), ref: 0040C9C3
                                                                                                                                                                                                                                • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0040C9D1
                                                                                                                                                                                                                                • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0040C9EA
                                                                                                                                                                                                                                • SetLastError.KERNEL32(00000000,?,0040C9AC,0040A25B), ref: 0040CA3C
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3315694164.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ErrorLastValue___vcrt_
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 3852720340-0
                                                                                                                                                                                                                                • Opcode ID: 18b5dec2a50485c169b3661b850eec390da6d2e1189e162841b222e1a78ff080
                                                                                                                                                                                                                                • Instruction ID: 6f2bd147e8afdd7a043ddb4cc032e70cd0d7bbdad2502d4e2c804448eb78ecb9
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 18b5dec2a50485c169b3661b850eec390da6d2e1189e162841b222e1a78ff080
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 3D01F57260D215AEE63857B5BDC5B6B2665DB01378320033FF214B02F0EEBD4C06955C
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 049ACC1C Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • GetLastError.KERNEL32(?,?,049ACC13,049AA4C2), ref: 049ACC2A
                                                                                                                                                                                                                                • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 049ACC38
                                                                                                                                                                                                                                • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 049ACC51
                                                                                                                                                                                                                                • SetLastError.KERNEL32(00000000,?,049ACC13,049AA4C2), ref: 049ACCA3
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3337248481.00000000049A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_49a0000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ErrorLastValue___vcrt_
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 3852720340-0
                                                                                                                                                                                                                                • Opcode ID: 830170af9e05d3dbdbf0f1320e03d58499cc30579d0bb48bb262cb75337020d8
                                                                                                                                                                                                                                • Instruction ID: 380a1597fa2b49040cf0465674fa652ad000957be89a29ea7e8632791fb88707
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 830170af9e05d3dbdbf0f1320e03d58499cc30579d0bb48bb262cb75337020d8
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A801FC322093215EB7282B75BD8C9AB3B7AEB41A797300B3DF124DA4F0EF516C2195C4
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 00416D19 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3315694164.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ErrorLast$_free$_abort
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 3160817290-0
                                                                                                                                                                                                                                • Opcode ID: f96bdeef7c0e3eccb1d63bd3d789de4010dedbd7b57bf7c614ef8227c1c7df8a
                                                                                                                                                                                                                                • Instruction ID: 67229b3f983384f7021419eb0c05c433d1635833c178197dce61a7b79ae5b6d3
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f96bdeef7c0e3eccb1d63bd3d789de4010dedbd7b57bf7c614ef8227c1c7df8a
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E1F0A931784B1026C61177367C09BDF27295FC1765B27092FF518A2291EE7CDCC6815D
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 049B6F80 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3337248481.00000000049A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_49a0000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ErrorLast$_free$_abort
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 3160817290-0
                                                                                                                                                                                                                                • Opcode ID: f96bdeef7c0e3eccb1d63bd3d789de4010dedbd7b57bf7c614ef8227c1c7df8a
                                                                                                                                                                                                                                • Instruction ID: 626efd70daee6bff292cd57dc75995d392f5e15d30baa3cf9dd0dcd6864cfe20
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f96bdeef7c0e3eccb1d63bd3d789de4010dedbd7b57bf7c614ef8227c1c7df8a
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C6F0F9312895102AD72133796E08BEF35199BC1765F250934F5D4D21D0EE60BC1685E7
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 049A37D6 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 56COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3337248481.00000000049A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_49a0000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: H_prolog
                                                                                                                                                                                                                                • String ID: /ping.php?substr=%s$185.172.128.228$Installed$qvB
                                                                                                                                                                                                                                • API String ID: 3519838083-3387484886
                                                                                                                                                                                                                                • Opcode ID: dbdcc093d5ff49b9939fbe79e5565d2d08c15c449c4736c25c3cf056a1d98fb5
                                                                                                                                                                                                                                • Instruction ID: 4ed89d5d354ac7b1511bf39140bba7ab00b1cbe2d7d01beeca1329c5c9f20640
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: dbdcc093d5ff49b9939fbe79e5565d2d08c15c449c4736c25c3cf056a1d98fb5
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1701C0B2A01515BBE7149F88DC40BAEB7B8FF85718F10053AFC05D7240D370AA608AE1
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 00417253 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,-@,00000000,00000000,?,004171FA,-@,00000000,00000000,00000000,?,004174B2,00000006,FlsSetValue), ref: 00417285
                                                                                                                                                                                                                                • GetLastError.KERNEL32(?,004171FA,-@,00000000,00000000,00000000,?,004174B2,00000006,FlsSetValue,0042E2F0,FlsSetValue,00000000,00000364,?,00416DEB), ref: 00417291
                                                                                                                                                                                                                                • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,004171FA,-@,00000000,00000000,00000000,?,004174B2,00000006,FlsSetValue,0042E2F0,FlsSetValue,00000000), ref: 0041729F
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3315694164.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: LibraryLoad$ErrorLast
                                                                                                                                                                                                                                • String ID: -@
                                                                                                                                                                                                                                • API String ID: 3177248105-2564449678
                                                                                                                                                                                                                                • Opcode ID: ca8a45eebd2a79313c9465f68ee09d2646c408a2010e3a78c504b4db5e2a09bb
                                                                                                                                                                                                                                • Instruction ID: 4020431c692cdd365c1edb7e0a14a8f9a79106a1dcbffcc21bafc0d3a38fe4c7
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ca8a45eebd2a79313c9465f68ee09d2646c408a2010e3a78c504b4db5e2a09bb
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 3A012B3674A6229BC7314B699C449DB7BB8AF457B07110676F90AD7240CB38D847C6EC
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 0040187F Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 39COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 004018C9
                                                                                                                                                                                                                                • std::system_error::system_error.LIBCPMT ref: 004018D8
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3315694164.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: Exception@8Throwstd::system_error::system_error
                                                                                                                                                                                                                                • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                                                                                                                                                                                • API String ID: 1589814233-1866435925
                                                                                                                                                                                                                                • Opcode ID: e60b9ed89db90c4e39532bb7c6aaac4610bd40bec14260a39e28585c0d896fd8
                                                                                                                                                                                                                                • Instruction ID: e5a36d636a31146743a29846f322d727076c10bf51cb576a0d0ebd87300f877c
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e60b9ed89db90c4e39532bb7c6aaac4610bd40bec14260a39e28585c0d896fd8
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 54F0AFA290035C63DB10B9659802BEA7B989F09358F24803BFD45761E1DA795A04C6ED
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 049A1AE6 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 39COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 049A1B30
                                                                                                                                                                                                                                • std::system_error::system_error.LIBCPMT ref: 049A1B3F
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3337248481.00000000049A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_49a0000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: Exception@8Throwstd::system_error::system_error
                                                                                                                                                                                                                                • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                                                                                                                                                                                • API String ID: 1589814233-1866435925
                                                                                                                                                                                                                                • Opcode ID: e60b9ed89db90c4e39532bb7c6aaac4610bd40bec14260a39e28585c0d896fd8
                                                                                                                                                                                                                                • Instruction ID: 645539fb5ab5695b935d82371fd8e226f781b592e9285c3f8c1b56c194b90bd6
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e60b9ed89db90c4e39532bb7c6aaac4610bd40bec14260a39e28585c0d896fd8
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 9DF02BB190032C77DB10AA949C42FD97B9C9F08394F148036FD446B194F7B4BA24C3E8
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 00413A6C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00413A1D,00000003,?,004139BD,00000003,00437D60,0000000C,00413B14,00000003,00000002), ref: 00413A8C
                                                                                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00413A9F
                                                                                                                                                                                                                                • FreeLibrary.KERNEL32(00000000,?,?,?,00413A1D,00000003,?,004139BD,00000003,00437D60,0000000C,00413B14,00000003,00000002,00000000), ref: 00413AC2
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3315694164.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                                                                                • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                                                                                • API String ID: 4061214504-1276376045
                                                                                                                                                                                                                                • Opcode ID: e9ab9df708068ff77d02737265f27547bccff245a6d09e8574e118d44c2a6cbc
                                                                                                                                                                                                                                • Instruction ID: 7ce0cb3fbee047f4a8559af6233cdb304d6a34e640ed2fcc4eaf65fddaef0d9f
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e9ab9df708068ff77d02737265f27547bccff245a6d09e8574e118d44c2a6cbc
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F0F04431A01118BBDB119F94DC09BDEBFB8EF44752F5540AAF809A2290DF785E85CB9C
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 0041A950 Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3315694164.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 40cab8f7c20ceae8ae22ba04d2332552c3c05e9d299873fb0615aa8a463a3c1a
                                                                                                                                                                                                                                • Instruction ID: 6ea283d57a609fffab434fde2135b7d270b6c6f02c2325d1109ee2994591e76b
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 40cab8f7c20ceae8ae22ba04d2332552c3c05e9d299873fb0615aa8a463a3c1a
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: AE7129719062969BCB308F94C844AFFBB76FF41360F14022BE91457280D778ACE1C7AA
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 049BABB7 Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3337248481.00000000049A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_49a0000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 40cab8f7c20ceae8ae22ba04d2332552c3c05e9d299873fb0615aa8a463a3c1a
                                                                                                                                                                                                                                • Instruction ID: 1fd8c521d924931fa7cf402eb3197ef91c5af6e9e03f00527aadd467a7ab7dbf
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 40cab8f7c20ceae8ae22ba04d2332552c3c05e9d299873fb0615aa8a463a3c1a
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 16717E31A0021A9BDF318F54CE88AFEBB79EF81361F154639E89167140DBB0A945C7E0
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 004145CC Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                  • Part of subcall function 00417A45: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0041B3A4,00000000,?,00410DD1,?,00000008,?,0041197C,?,?,?), ref: 00417A77
                                                                                                                                                                                                                                • _free.LIBCMT ref: 004146D7
                                                                                                                                                                                                                                • _free.LIBCMT ref: 004146EE
                                                                                                                                                                                                                                • _free.LIBCMT ref: 0041470D
                                                                                                                                                                                                                                • _free.LIBCMT ref: 00414728
                                                                                                                                                                                                                                • _free.LIBCMT ref: 0041473F
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3315694164.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: _free$AllocateHeap
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 3033488037-0
                                                                                                                                                                                                                                • Opcode ID: 7e145fb4ba94dc3237958cad872b9e908e7f7c9f1f6bf31c302f80a0328396d6
                                                                                                                                                                                                                                • Instruction ID: 1364ae8c8bed3babfbeb70cadbec98ce06422c2098a54f189f7d31eb1db71690
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7e145fb4ba94dc3237958cad872b9e908e7f7c9f1f6bf31c302f80a0328396d6
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7251E571A00304AFDB20DF65D881BAA77F5EF99728F14056EE809D7690E739ED81CB48
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 049B4833 Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3337248481.00000000049A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_49a0000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: _free$AllocateHeap
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 3033488037-0
                                                                                                                                                                                                                                • Opcode ID: d20824fdcacda83af1664dbc103671d64a4d903058c6e02df8cb7ef10616926c
                                                                                                                                                                                                                                • Instruction ID: 918f8e29f24ad51f8da2278f41719e9a769749afeee0d5fbaf72455b108ae269
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d20824fdcacda83af1664dbc103671d64a4d903058c6e02df8cb7ef10616926c
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A651B431A00204AFEB21DF65CE80AAA77F9EF85B24B14457DE889D7251E731F911DBC1
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 00415063 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3315694164.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: _free
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 269201875-0
                                                                                                                                                                                                                                • Opcode ID: 57661e68e417e5a0554fbeacdd405e98a6be487f0d2ab815210d62823c981124
                                                                                                                                                                                                                                • Instruction ID: 8cf76a1bb0839b7cd8128bcbec6e1cebe900e569fbfc9cf9c78d37498cff2dcd
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 57661e68e417e5a0554fbeacdd405e98a6be487f0d2ab815210d62823c981124
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B241E032E00700EBCB15DFB9C880ADEB7B5EF89314B1185AAE515EB382D734AD41CB84
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 049B52CA Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3337248481.00000000049A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_49a0000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: _free
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 269201875-0
                                                                                                                                                                                                                                • Opcode ID: 57661e68e417e5a0554fbeacdd405e98a6be487f0d2ab815210d62823c981124
                                                                                                                                                                                                                                • Instruction ID: 23079ae3b62eeae68555bd90573e4c9bbb9dbbdfd079f1747331085e108ab9ae
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 57661e68e417e5a0554fbeacdd405e98a6be487f0d2ab815210d62823c981124
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: BE41B236A00300EFDB14DF78C980A99B7A5EF85728F564579D555EB390D771BD01CB80
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 0041B300 Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,0041197C,?,00000000,?,00000001,?,?,00000001,0041197C,?), ref: 0041B34D
                                                                                                                                                                                                                                • __alloca_probe_16.LIBCMT ref: 0041B385
                                                                                                                                                                                                                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0041B3D6
                                                                                                                                                                                                                                • GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00410DD1,?), ref: 0041B3E8
                                                                                                                                                                                                                                • __freea.LIBCMT ref: 0041B3F1
                                                                                                                                                                                                                                  • Part of subcall function 00417A45: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0041B3A4,00000000,?,00410DD1,?,00000008,?,0041197C,?,?,?), ref: 00417A77
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3315694164.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 313313983-0
                                                                                                                                                                                                                                • Opcode ID: 23a3252cb5aa1ceb9cf1dbfe047612e0e4775c8e4192d68e8df02371e9c4781d
                                                                                                                                                                                                                                • Instruction ID: 9ad45024e657c6c1581d72c25b5196d30cf145d3c6dba1e906db6810fcdec08f
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 23a3252cb5aa1ceb9cf1dbfe047612e0e4775c8e4192d68e8df02371e9c4781d
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0831CE32A0021AABDB248F65CC41DEF7BA5EF40314B05412EFC14E6291EB39DDA5CBD8
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 0041E403 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • GetEnvironmentStringsW.KERNEL32 ref: 0041E40C
                                                                                                                                                                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0041E42F
                                                                                                                                                                                                                                  • Part of subcall function 00417A45: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0041B3A4,00000000,?,00410DD1,?,00000008,?,0041197C,?,?,?), ref: 00417A77
                                                                                                                                                                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0041E455
                                                                                                                                                                                                                                • _free.LIBCMT ref: 0041E468
                                                                                                                                                                                                                                • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0041E477
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3315694164.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 336800556-0
                                                                                                                                                                                                                                • Opcode ID: d21167a4ec00cfc2ded7cff180726697e6523b003ed2d29391144b3d5a9b389e
                                                                                                                                                                                                                                • Instruction ID: 3801774db5af9eb9c78c35188b4f65337a3fd4a66a09e05ac0132405ac606614
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d21167a4ec00cfc2ded7cff180726697e6523b003ed2d29391144b3d5a9b389e
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C70188766022157B27211A775C4CCBF6A6DDEC6FE4315012EBD08C3200DE788C8685BD
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 049BE66A Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • GetEnvironmentStringsW.KERNEL32 ref: 049BE673
                                                                                                                                                                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 049BE696
                                                                                                                                                                                                                                  • Part of subcall function 049B7CAC: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 049B7CDE
                                                                                                                                                                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 049BE6BC
                                                                                                                                                                                                                                • _free.LIBCMT ref: 049BE6CF
                                                                                                                                                                                                                                • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 049BE6DE
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3337248481.00000000049A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_49a0000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 336800556-0
                                                                                                                                                                                                                                • Opcode ID: d19c47060a10e2cafe652fe0b9a9a3538350b76910d5e87ed89a6a6c5fab3348
                                                                                                                                                                                                                                • Instruction ID: 6d4d4bae48b0dcf28dd5ce4c651c56788a60c72ee39cd7c995a2b7b88742f15d
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d19c47060a10e2cafe652fe0b9a9a3538350b76910d5e87ed89a6a6c5fab3348
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 3501D472702215BB2B3116B65D88CFF6A6DDAC2AE1315013DBD44C2200EE65AC0681F9
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 00416D9D Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • GetLastError.KERNEL32(?,?,?,00412386,004170A0,?,00416D47,00000001,00000364,?,0040E430,?,?,?,0040EB2D,?), ref: 00416DA2
                                                                                                                                                                                                                                • _free.LIBCMT ref: 00416DD7
                                                                                                                                                                                                                                • _free.LIBCMT ref: 00416DFE
                                                                                                                                                                                                                                • SetLastError.KERNEL32(00000000), ref: 00416E0B
                                                                                                                                                                                                                                • SetLastError.KERNEL32(00000000), ref: 00416E14
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3315694164.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ErrorLast$_free
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 3170660625-0
                                                                                                                                                                                                                                • Opcode ID: 35a4c01cadca9632a23be7e2e88a6bdbc5a2c1ace872e4e8adc61478f88df720
                                                                                                                                                                                                                                • Instruction ID: 590f77e2bb6cf6723b3ae76f6f4a9e52eee2512f3abf58083b79aa59d1bf9a60
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 35a4c01cadca9632a23be7e2e88a6bdbc5a2c1ace872e4e8adc61478f88df720
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 540149363847202B82213676BC45EEB26299BC1374723057FF419A22C2EF7CCC96802C
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 049B7004 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • GetLastError.KERNEL32(?,?,?,049B25ED,049B7307,?,049B6FAE,00000001,00000364,?,049AE697,?,?,?,049AED94,?), ref: 049B7009
                                                                                                                                                                                                                                • _free.LIBCMT ref: 049B703E
                                                                                                                                                                                                                                • _free.LIBCMT ref: 049B7065
                                                                                                                                                                                                                                • SetLastError.KERNEL32(00000000), ref: 049B7072
                                                                                                                                                                                                                                • SetLastError.KERNEL32(00000000), ref: 049B707B
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3337248481.00000000049A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_49a0000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ErrorLast$_free
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 3170660625-0
                                                                                                                                                                                                                                • Opcode ID: 35a4c01cadca9632a23be7e2e88a6bdbc5a2c1ace872e4e8adc61478f88df720
                                                                                                                                                                                                                                • Instruction ID: f17f115f0dd010d0f2a2b25c5c1b2b1c9407a3ab37ca376d6882234f012da347
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 35a4c01cadca9632a23be7e2e88a6bdbc5a2c1ace872e4e8adc61478f88df720
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 42014976240E003B97322BF81E84EEF221EABC127472107BAF495A2180FE74BC0680E5
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 0041ED6E Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • _free.LIBCMT ref: 0041ED86
                                                                                                                                                                                                                                  • Part of subcall function 0041629A: RtlFreeHeap.NTDLL(00000000,00000000,?,0041F021,?,00000000,?,00000000,?,0041F2C5,?,00000007,?,?,0041F6B9,?), ref: 004162B0
                                                                                                                                                                                                                                  • Part of subcall function 0041629A: GetLastError.KERNEL32(?,?,0041F021,?,00000000,?,00000000,?,0041F2C5,?,00000007,?,?,0041F6B9,?,?), ref: 004162C2
                                                                                                                                                                                                                                • _free.LIBCMT ref: 0041ED98
                                                                                                                                                                                                                                • _free.LIBCMT ref: 0041EDAA
                                                                                                                                                                                                                                • _free.LIBCMT ref: 0041EDBC
                                                                                                                                                                                                                                • _free.LIBCMT ref: 0041EDCE
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3315694164.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 776569668-0
                                                                                                                                                                                                                                • Opcode ID: e1b2229c170471cad9511440fdbaceac99caba8a87cda5d123aefe47b03668a4
                                                                                                                                                                                                                                • Instruction ID: 4fbf26fd28a8761b677517a124a66282875c94d9b9982584bfc58ae744149868
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e1b2229c170471cad9511440fdbaceac99caba8a87cda5d123aefe47b03668a4
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5FF06232504312EB9E20EF6AF885DDB73E9BA44714355085BF808E7640C778FCC0865C
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 004152B2 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • _free.LIBCMT ref: 004152D0
                                                                                                                                                                                                                                  • Part of subcall function 0041629A: RtlFreeHeap.NTDLL(00000000,00000000,?,0041F021,?,00000000,?,00000000,?,0041F2C5,?,00000007,?,?,0041F6B9,?), ref: 004162B0
                                                                                                                                                                                                                                  • Part of subcall function 0041629A: GetLastError.KERNEL32(?,?,0041F021,?,00000000,?,00000000,?,0041F2C5,?,00000007,?,?,0041F6B9,?,?), ref: 004162C2
                                                                                                                                                                                                                                • _free.LIBCMT ref: 004152E2
                                                                                                                                                                                                                                • _free.LIBCMT ref: 004152F5
                                                                                                                                                                                                                                • _free.LIBCMT ref: 00415306
                                                                                                                                                                                                                                • _free.LIBCMT ref: 00415317
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3315694164.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 776569668-0
                                                                                                                                                                                                                                • Opcode ID: d2475394655229b87a2a231197a96fb4321ea4f7fd90eb8942919d33dec51e29
                                                                                                                                                                                                                                • Instruction ID: bd3368c0b25b78dbdc1e8abc7373622524bfd2772586a7011706bfb0bee2724c
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d2475394655229b87a2a231197a96fb4321ea4f7fd90eb8942919d33dec51e29
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F3F030B14813208B8A167F16FC415C93B61BB5871931131AFF44956775CB395CA18F8E
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 049B5519 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • _free.LIBCMT ref: 049B5537
                                                                                                                                                                                                                                  • Part of subcall function 049B6501: HeapFree.KERNEL32(00000000,00000000,?,049BF288,?,00000000,?,00000000,?,049BF52C,?,00000007,?,?,049BF920,?), ref: 049B6517
                                                                                                                                                                                                                                  • Part of subcall function 049B6501: GetLastError.KERNEL32(?,?,049BF288,?,00000000,?,00000000,?,049BF52C,?,00000007,?,?,049BF920,?,?), ref: 049B6529
                                                                                                                                                                                                                                • _free.LIBCMT ref: 049B5549
                                                                                                                                                                                                                                • _free.LIBCMT ref: 049B555C
                                                                                                                                                                                                                                • _free.LIBCMT ref: 049B556D
                                                                                                                                                                                                                                • _free.LIBCMT ref: 049B557E
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3337248481.00000000049A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_49a0000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 776569668-0
                                                                                                                                                                                                                                • Opcode ID: d2475394655229b87a2a231197a96fb4321ea4f7fd90eb8942919d33dec51e29
                                                                                                                                                                                                                                • Instruction ID: 606eef7cf8b57936e5128846f4761caf8670e2861759a608f64fde2503ad2c4c
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d2475394655229b87a2a231197a96fb4321ea4f7fd90eb8942919d33dec51e29
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A8F09AB08542209BCA226F18FD804853B62AB15A25312713EF08442278CFB66EB1CFCF
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 0041608E Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3315694164.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID: @
                                                                                                                                                                                                                                • API String ID: 0-2895899722
                                                                                                                                                                                                                                • Opcode ID: b52d94582baa6868900cfecb171c62a8035a88aed09a9162bfb2cfc354896c9a
                                                                                                                                                                                                                                • Instruction ID: c5d623140409e6a8d976750a690e768927eb9a43711eccc58faa8c11c80da68b
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: b52d94582baa6868900cfecb171c62a8035a88aed09a9162bfb2cfc354896c9a
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C851E1B1D40209ABDB10AFA9C845EEF7BB8AF45314F16015BE804B7292D77CD981CB69
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 004132C3 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exe,00000104), ref: 00413303
                                                                                                                                                                                                                                • _free.LIBCMT ref: 004133CE
                                                                                                                                                                                                                                • _free.LIBCMT ref: 004133D8
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3315694164.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: _free$FileModuleName
                                                                                                                                                                                                                                • String ID: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exe
                                                                                                                                                                                                                                • API String ID: 2506810119-2953877501
                                                                                                                                                                                                                                • Opcode ID: 7cde11c0b341d83a689c8ac0215e926d985f9273aa0b89270843955781aff3fc
                                                                                                                                                                                                                                • Instruction ID: 1d3d6450662fa2269543f68f0355dd37071cdd96c53fcda0561707c64ab2d40b
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7cde11c0b341d83a689c8ac0215e926d985f9273aa0b89270843955781aff3fc
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4731B371A40218AFCB21DF9A9C819DEBBB8EB84311B1040ABFC14D7210DB788B81CB5D
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 049B352A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exe,00000104), ref: 049B356A
                                                                                                                                                                                                                                • _free.LIBCMT ref: 049B3635
                                                                                                                                                                                                                                • _free.LIBCMT ref: 049B363F
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3337248481.00000000049A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_49a0000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: _free$FileModuleName
                                                                                                                                                                                                                                • String ID: C:\Users\user\Pictures\JPl4ZLOvy3fY5RSXGk5s9Gl5.exe
                                                                                                                                                                                                                                • API String ID: 2506810119-2953877501
                                                                                                                                                                                                                                • Opcode ID: 7cde11c0b341d83a689c8ac0215e926d985f9273aa0b89270843955781aff3fc
                                                                                                                                                                                                                                • Instruction ID: 45acfbbbfceb61b9751543aaefeb8a39c76a8cfd3f3a94a14860622b08c7fe83
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7cde11c0b341d83a689c8ac0215e926d985f9273aa0b89270843955781aff3fc
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A431B571A40258EFDB31DF999E859DEBBFCEB84710F104076E88497210D7B0AA41CBD1
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 049A374A Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 58COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3337248481.00000000049A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_49a0000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: H_prolog
                                                                                                                                                                                                                                • String ID: /cpa/ping.php?substr=%s&s=ab&sub=%s$one$qvB
                                                                                                                                                                                                                                • API String ID: 3519838083-855906859
                                                                                                                                                                                                                                • Opcode ID: f5393bbe0179e56c72e8d6aed76511a95c4a66d15052c3b77f8b18530fd2a227
                                                                                                                                                                                                                                • Instruction ID: 680648dfbd11243c3f74c3e3e10bc0b26f9a645513d8047720a9b9d0a057771a
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f5393bbe0179e56c72e8d6aed76511a95c4a66d15052c3b77f8b18530fd2a227
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4211C4B2A01515BBEB149F98CC44BAEB7B9FF85724F40453AF818D7240D370AA618BE1
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 0040356F Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 56COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3315694164.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: H_prolog
                                                                                                                                                                                                                                • String ID: /ping.php?substr=%s$185.172.128.228$Installed
                                                                                                                                                                                                                                • API String ID: 3519838083-3380671521
                                                                                                                                                                                                                                • Opcode ID: dbdcc093d5ff49b9939fbe79e5565d2d08c15c449c4736c25c3cf056a1d98fb5
                                                                                                                                                                                                                                • Instruction ID: e528e6f54f7bd6397a7a31987af09de96e2bb5ca05102ccdf4d55b1b8520bb33
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: dbdcc093d5ff49b9939fbe79e5565d2d08c15c449c4736c25c3cf056a1d98fb5
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2301C472A01114BBDB04AF899C41BAEF76DEF85315F10013FF405E3292D3789E5186E9
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 049C634E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51fileCOMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000004,00000080,00000000), ref: 049C6398
                                                                                                                                                                                                                                • WriteFile.KERNEL32(00000000,?,00000400,049C59A8,00000000), ref: 049C63B0
                                                                                                                                                                                                                                • CloseHandle.KERNEL32(00000000), ref: 049C63B9
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3337248481.00000000049A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_49a0000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: File$CloseCreateHandleWrite
                                                                                                                                                                                                                                • String ID: /syncUpd.exe
                                                                                                                                                                                                                                • API String ID: 1065093856-1956333723
                                                                                                                                                                                                                                • Opcode ID: a912db88f114df2c6673003673c4522d4d60e875e8989093ee3ec27779da3b73
                                                                                                                                                                                                                                • Instruction ID: e7a4722953d4abea6065c55677e6e8b7cd47734b5de6b9825911ee61abf5947a
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a912db88f114df2c6673003673c4522d4d60e875e8989093ee3ec27779da3b73
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 33F0A4B2301221B7E7345AA99C88E5FBA9DEF846A4F00003DF706D6191DAB1FC0583E5
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 049C6438 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 44fileCOMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000004,00000080,00000000,serversystemNCQ_x64.exe), ref: 049C646E
                                                                                                                                                                                                                                • WriteFile.KERNEL32(00000000,?,00000400,049C5DE6,00000000), ref: 049C6486
                                                                                                                                                                                                                                • CloseHandle.KERNEL32(00000000), ref: 049C648F
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3337248481.00000000049A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_49a0000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: File$CloseCreateHandleWrite
                                                                                                                                                                                                                                • String ID: serversystemNCQ_x64.exe
                                                                                                                                                                                                                                • API String ID: 1065093856-4105491473
                                                                                                                                                                                                                                • Opcode ID: 81eeccf449e78c501f1cd1432d73a9a3a23dd028abcdb10082ca37ec707300bb
                                                                                                                                                                                                                                • Instruction ID: 952ba8f644425aa387af7ed5cc763b834c49cc7149f4f92a30b9a50905749259
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 81eeccf449e78c501f1cd1432d73a9a3a23dd028abcdb10082ca37ec707300bb
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1DF06DB2701221BBE7304BAA9C48E5BBA9DEB856A4F004039B709D6150DAB1FC05D6A5
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 049C63C6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40synchronizationCOMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • ShellExecuteEx.SHELL32(?), ref: 049C6408
                                                                                                                                                                                                                                • WaitForSingleObject.KERNEL32(?,00008000), ref: 049C641C
                                                                                                                                                                                                                                • CloseHandle.KERNEL32(?), ref: 049C6425
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3337248481.00000000049A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_49a0000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: CloseExecuteHandleObjectShellSingleWait
                                                                                                                                                                                                                                • String ID: /BroomSetup.exe
                                                                                                                                                                                                                                • API String ID: 3837156514-1897133622
                                                                                                                                                                                                                                • Opcode ID: faa3531e92f7a28ce8b89843f4620ca73c62c6e16bba268bd3709f44c3ecf90f
                                                                                                                                                                                                                                • Instruction ID: 1808ea22e8731bc7e271204fa7f9ebe47a522d4b425d2ed0f41d2dd985af7f2f
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: faa3531e92f7a28ce8b89843f4620ca73c62c6e16bba268bd3709f44c3ecf90f
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 74017C31D00218EBDB15DF69E8445DCBBB8FF48710F40812AF801A6260EB709A45CF90
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 00417D6F Relevance: 6.3, APIs: 4, Instructions: 305COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3315694164.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: __alldvrm$_strrchr
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1036877536-0
                                                                                                                                                                                                                                • Opcode ID: 189549fbd5bb4ab0b5dc2d1a196f9afd79985f6d04f47c2d3181048c17836110
                                                                                                                                                                                                                                • Instruction ID: 904abf3455293af5dc28361a3842bc8dfa3977a77267bab69feed652e5be58e7
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 189549fbd5bb4ab0b5dc2d1a196f9afd79985f6d04f47c2d3181048c17836110
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 17A11272A083869FDB218E18C881BEBBBF1EF55354F1441AEE5859B281D63C8982C758
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 049B7FD6 Relevance: 6.3, APIs: 4, Instructions: 305COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3337248481.00000000049A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_49a0000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: __alldvrm$_strrchr
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1036877536-0
                                                                                                                                                                                                                                • Opcode ID: 189549fbd5bb4ab0b5dc2d1a196f9afd79985f6d04f47c2d3181048c17836110
                                                                                                                                                                                                                                • Instruction ID: 5012802e82d8b5467fd7801dbbd2721fa5271b17b0e16c2bcf7be8c32d3ee3c2
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 189549fbd5bb4ab0b5dc2d1a196f9afd79985f6d04f47c2d3181048c17836110
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 28A15531A00A869FEB25EE18C990BEABBEDEF59390F18457DD9D49B240D234A941C7D0
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 0042286F Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3315694164.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: _free
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 269201875-0
                                                                                                                                                                                                                                • Opcode ID: c3162c8456312e82e41fd9f8206d1c8395647c3febd80e25e1b83a4a10e5e726
                                                                                                                                                                                                                                • Instruction ID: 73bae74a26b7ada03dc8fd491e978b67bd9d17df28ded5f6e3a1200ab970dd08
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: c3162c8456312e82e41fd9f8206d1c8395647c3febd80e25e1b83a4a10e5e726
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2F411BB1B002207BDB206B7A9D41BEE36A4FF05374F54021BF818D6291DAFC89C19669
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 049C2AD6 Relevance: 6.2, APIs: 4, Instructions: 152COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3337248481.00000000049A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_49a0000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: _free
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 269201875-0
                                                                                                                                                                                                                                • Opcode ID: 3b94825b8aa3832d3ef3165fe941ff5e47c4270fc62a832450709df6769c8b69
                                                                                                                                                                                                                                • Instruction ID: dc3cdb8e9386d4346fffa520ddd2107a1a5533c92ab60e20513876c2e45725bc
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3b94825b8aa3832d3ef3165fe941ff5e47c4270fc62a832450709df6769c8b69
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 47412B71E002056FEB216FB88D84AEE3669EF83374F1446FDF458D6190DA74B54192A3
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 049BB567 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • MultiByteToWideChar.KERNEL32(00000004,00000000,0000007F,0042D740,00000000,00000000,8B56FF8B,049B4002,?,00000004,00000001,0042D740,0000007F,?,8B56FF8B,00000001), ref: 049BB5B4
                                                                                                                                                                                                                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 049BB63D
                                                                                                                                                                                                                                • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 049BB64F
                                                                                                                                                                                                                                • __freea.LIBCMT ref: 049BB658
                                                                                                                                                                                                                                  • Part of subcall function 049B7CAC: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 049B7CDE
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3337248481.00000000049A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_49a0000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 2652629310-0
                                                                                                                                                                                                                                • Opcode ID: 85e830a01370505c20d0c66bcccfbbe4c72d0f29140b44b833c745a57283bd6b
                                                                                                                                                                                                                                • Instruction ID: 5914be6c849e05ff3a5e4b7278fdec1092c93015a1c850368598b7aa2499ada7
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 85e830a01370505c20d0c66bcccfbbe4c72d0f29140b44b833c745a57283bd6b
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8631AE72A0021AABDF258F64CC44DEE7BA9EB40724F054179ED48D6690EB35ED64CBE0
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 0040CCA4 Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • ___BuildCatchObject.LIBVCRUNTIME ref: 0040CCBE
                                                                                                                                                                                                                                  • Part of subcall function 0040CC0B: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 0040CC3A
                                                                                                                                                                                                                                  • Part of subcall function 0040CC0B: ___AdjustPointer.LIBCMT ref: 0040CC55
                                                                                                                                                                                                                                • _UnwindNestedFrames.LIBCMT ref: 0040CCD3
                                                                                                                                                                                                                                • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 0040CCE4
                                                                                                                                                                                                                                • CallCatchBlock.LIBVCRUNTIME ref: 0040CD0C
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3315694164.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 737400349-0
                                                                                                                                                                                                                                • Opcode ID: 47db2c8148be1e88ced26f356c7ddfb08dca30c4f884cb2ff03c50df69916c0c
                                                                                                                                                                                                                                • Instruction ID: 6cd8a4fdf9e309ef40a66346d060796d29459ceaa081db5c793327cde4683266
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 47db2c8148be1e88ced26f356c7ddfb08dca30c4f884cb2ff03c50df69916c0c
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: AA012D72500108BBDF116F96CC81DEB3F69EF98758F044129FE0866261C73AE861DBA4
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 049ACF0B Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • ___BuildCatchObject.LIBVCRUNTIME ref: 049ACF25
                                                                                                                                                                                                                                  • Part of subcall function 049ACE72: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 049ACEA1
                                                                                                                                                                                                                                  • Part of subcall function 049ACE72: ___AdjustPointer.LIBCMT ref: 049ACEBC
                                                                                                                                                                                                                                • _UnwindNestedFrames.LIBCMT ref: 049ACF3A
                                                                                                                                                                                                                                • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 049ACF4B
                                                                                                                                                                                                                                • CallCatchBlock.LIBVCRUNTIME ref: 049ACF73
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3337248481.00000000049A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_49a0000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 737400349-0
                                                                                                                                                                                                                                • Opcode ID: 47db2c8148be1e88ced26f356c7ddfb08dca30c4f884cb2ff03c50df69916c0c
                                                                                                                                                                                                                                • Instruction ID: a89fdeff8b5fb8d94bf75f264fb3eeac17ff371374d48ec4eefa8303ea726f4a
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 47db2c8148be1e88ced26f356c7ddfb08dca30c4f884cb2ff03c50df69916c0c
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5901D772500209BBDF126E95CC44DEB7B6AEF89758F054124FE08AA120D636E871DBE4
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 049B74BA Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,049AED94,00000000,00000000,?,049B7461,049AED94,00000000,00000000,00000000,?,049B7719,00000006,0042E2F8), ref: 049B74EC
                                                                                                                                                                                                                                • GetLastError.KERNEL32(?,049B7461,049AED94,00000000,00000000,00000000,?,049B7719,00000006,0042E2F8,0042E2F0,0042E2F8,00000000,00000364,?,049B7052), ref: 049B74F8
                                                                                                                                                                                                                                • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,049B7461,049AED94,00000000,00000000,00000000,?,049B7719,00000006,0042E2F8,0042E2F0,0042E2F8,00000000), ref: 049B7506
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3337248481.00000000049A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_49a0000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: LibraryLoad$ErrorLast
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 3177248105-0
                                                                                                                                                                                                                                • Opcode ID: ca8a45eebd2a79313c9465f68ee09d2646c408a2010e3a78c504b4db5e2a09bb
                                                                                                                                                                                                                                • Instruction ID: 5037308e76c3adc7c9a36415bf093938c5579663efb650b3ea79ce4ac920b083
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ca8a45eebd2a79313c9465f68ee09d2646c408a2010e3a78c504b4db5e2a09bb
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: FF014C323426265BC7304FA89D049D7375DAF847A17518B74FA47D3140DB60E905C6E4
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 0041293D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • __startOneArgErrorHandling.LIBCMT ref: 004129CD
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3315694164.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ErrorHandling__start
                                                                                                                                                                                                                                • String ID: pow
                                                                                                                                                                                                                                • API String ID: 3213639722-2276729525
                                                                                                                                                                                                                                • Opcode ID: ba6df8563b8339eb0810a3e9ef2dc3b9b5ce058691c0daabc23001b6b9fc0b5a
                                                                                                                                                                                                                                • Instruction ID: e871ad958d0c3237763a2db945e0d8ca842ad08ee161d37671be5f50051c649b
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ba6df8563b8339eb0810a3e9ef2dc3b9b5ce058691c0daabc23001b6b9fc0b5a
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5C515BB1B5420296C7257719DF813EB2B90EF40750F60496BE085C63E9EB7C8CE6DA4E
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 049C649C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 149COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • __EH_prolog.LIBCMT ref: 049C64A1
                                                                                                                                                                                                                                  • Part of subcall function 049A4073: __EH_prolog.LIBCMT ref: 049A4078
                                                                                                                                                                                                                                  • Part of subcall function 049A4073: std::locale::_Init.LIBCPMT ref: 049A409A
                                                                                                                                                                                                                                • _Deallocate.LIBCONCRT ref: 049C65F5
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3337248481.00000000049A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_49a0000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: H_prolog$DeallocateInitstd::locale::_
                                                                                                                                                                                                                                • String ID: LyB
                                                                                                                                                                                                                                • API String ID: 2389838984-3773714357
                                                                                                                                                                                                                                • Opcode ID: b43d6b7ceb65bfdddc8a4d1d72d1a4e11e7704bb8849fddb18eadf6b27138a00
                                                                                                                                                                                                                                • Instruction ID: 25d8a88f25bb04904b5f3f2374f863fc17adf4bbeb287dd6ed9fa5174f595b36
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: b43d6b7ceb65bfdddc8a4d1d72d1a4e11e7704bb8849fddb18eadf6b27138a00
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C751C0B1A00248DFEB14DFA9C9949EDFBB4FF98304F64422EE445A7241D770AA45CF91
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 0041DDFC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 132COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • GetCPInfo.KERNEL32(?,?,00000005,?,00000000), ref: 0041DE21
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3315694164.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: Info
                                                                                                                                                                                                                                • String ID: $.A
                                                                                                                                                                                                                                • API String ID: 1807457897-2696116503
                                                                                                                                                                                                                                • Opcode ID: 02f55ba3ac5568e03e9fdbd7b88b41772807cc386f704f7c8a9efdfd3a48f4bf
                                                                                                                                                                                                                                • Instruction ID: c8879a2e2c6f1093175ecb34d3b29c7df1a6cb98fe180daaeb3bdf81d7a36b90
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 02f55ba3ac5568e03e9fdbd7b88b41772807cc386f704f7c8a9efdfd3a48f4bf
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 56410AF190434C9ADB218E248D84BFABBB9DF55304F1404EEE58A97142D23DAA86CF64
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 049ACA17 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 117COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • ___except_validate_context_record.LIBVCRUNTIME ref: 049ACA4A
                                                                                                                                                                                                                                • __IsNonwritableInCurrentImage.LIBCMT ref: 049ACB03
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3337248481.00000000049A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_49a0000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: CurrentImageNonwritable___except_validate_context_record
                                                                                                                                                                                                                                • String ID: csm
                                                                                                                                                                                                                                • API String ID: 3480331319-1018135373
                                                                                                                                                                                                                                • Opcode ID: 796a0128d9dbb3bf8459a97561fbccceb7ea0ac6e0ba9330f3f48fee75113795
                                                                                                                                                                                                                                • Instruction ID: 7bff7e3ac28d6ea88a6fd0e806106cf7733225f1d3ecfedafcd023006ad91e76
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 796a0128d9dbb3bf8459a97561fbccceb7ea0ac6e0ba9330f3f48fee75113795
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 28418330E002189BDF10DF68C884AAEBBB9EF85318F148176E915AF391D775B965CBD0
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 0041FD92 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • GetACP.KERNEL32(?,20001004,?,00000002), ref: 0041FE6D
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3315694164.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID: ACP$OCP
                                                                                                                                                                                                                                • API String ID: 0-711371036
                                                                                                                                                                                                                                • Opcode ID: c6d2c2c3f7c25fabefd8c517707ca918c95a0ca72f85b56e9eba91488959f309
                                                                                                                                                                                                                                • Instruction ID: 649476e1b3bbd5175eaef6faf82ab2916ec2ed690aaaaf30446e18060a09e767
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: c6d2c2c3f7c25fabefd8c517707ca918c95a0ca72f85b56e9eba91488959f309
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6D21F772B04201A6DB308E55D901BE772A69B60B24F568077E90AC7312FB3ADDCA835C
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 049BFFF9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • GetACP.KERNEL32(?,20001004,?,00000002), ref: 049C00D4
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3337248481.00000000049A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_49a0000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID: ACP$OCP
                                                                                                                                                                                                                                • API String ID: 0-711371036
                                                                                                                                                                                                                                • Opcode ID: c6d2c2c3f7c25fabefd8c517707ca918c95a0ca72f85b56e9eba91488959f309
                                                                                                                                                                                                                                • Instruction ID: 4724996ed4178b17a97102420905b37728143271358395ae8347908e8bd991de
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: c6d2c2c3f7c25fabefd8c517707ca918c95a0ca72f85b56e9eba91488959f309
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 35216262B00104E6EB34CFD48901BAB72AEAB94B59F47847DE949D7100F736F940C366
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 049C60F9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • __EH_prolog.LIBCMT ref: 049C60FE
                                                                                                                                                                                                                                  • Part of subcall function 049A1E19: __EH_prolog.LIBCMT ref: 049A1E1E
                                                                                                                                                                                                                                  • Part of subcall function 049A266A: __EH_prolog.LIBCMT ref: 049A266F
                                                                                                                                                                                                                                • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 049C61E0
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3337248481.00000000049A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_49a0000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: H_prolog$Ios_base_dtorstd::ios_base::_
                                                                                                                                                                                                                                • String ID: xB
                                                                                                                                                                                                                                • API String ID: 420165198-2600814558
                                                                                                                                                                                                                                • Opcode ID: 9ab3aaf70d2163a1063e646c5f49d5cb4be0b6ea4cdc2725c479562135cb88ac
                                                                                                                                                                                                                                • Instruction ID: e40220dc1e4c819e90e785fb5081af0fe1bba20d46339914c15aa9d4614ee7de
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 9ab3aaf70d2163a1063e646c5f49d5cb4be0b6ea4cdc2725c479562135cb88ac
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6F31D874D01119EBEB14EF94D995AEDF7B4FF88204F1085AAE405A3640EB746E18CFA0
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 049A33DC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • __EH_prolog.LIBCMT ref: 049A33E1
                                                                                                                                                                                                                                • std::locale::_Init.LIBCPMT ref: 049A3428
                                                                                                                                                                                                                                  • Part of subcall function 049A7FDA: __EH_prolog3.LIBCMT ref: 049A7FE1
                                                                                                                                                                                                                                  • Part of subcall function 049A7FDA: std::_Lockit::_Lockit.LIBCPMT ref: 049A7FEC
                                                                                                                                                                                                                                  • Part of subcall function 049A7FDA: std::locale::_Setgloballocale.LIBCPMT ref: 049A8007
                                                                                                                                                                                                                                  • Part of subcall function 049A7FDA: _Yarn.LIBCPMT ref: 049A801D
                                                                                                                                                                                                                                  • Part of subcall function 049A7FDA: std::_Lockit::~_Lockit.LIBCPMT ref: 049A805D
                                                                                                                                                                                                                                  • Part of subcall function 049A3651: __EH_prolog.LIBCMT ref: 049A3656
                                                                                                                                                                                                                                  • Part of subcall function 049A3651: std::_Lockit::_Lockit.LIBCPMT ref: 049A3665
                                                                                                                                                                                                                                  • Part of subcall function 049A3651: int.LIBCPMT ref: 049A367C
                                                                                                                                                                                                                                  • Part of subcall function 049A3651: std::locale::_Getfacet.LIBCPMT ref: 049A3685
                                                                                                                                                                                                                                  • Part of subcall function 049A3651: std::_Lockit::~_Lockit.LIBCPMT ref: 049A36CC
                                                                                                                                                                                                                                  • Part of subcall function 049A1AE6: __CxxThrowException@8.LIBVCRUNTIME ref: 049A1B30
                                                                                                                                                                                                                                  • Part of subcall function 049A1AE6: std::system_error::system_error.LIBCPMT ref: 049A1B3F
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3337248481.00000000049A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_49a0000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: Lockitstd::_$std::locale::_$H_prologLockit::_Lockit::~_$Exception@8GetfacetH_prolog3InitSetgloballocaleThrowYarnstd::system_error::system_error
                                                                                                                                                                                                                                • String ID: !vB
                                                                                                                                                                                                                                • API String ID: 372095707-662244105
                                                                                                                                                                                                                                • Opcode ID: 4deb0b62ca6bed2fa6a44367b456c2ab057c0f4f5e284071d2ebbd93a586d0bc
                                                                                                                                                                                                                                • Instruction ID: c943869045353e9d8ad5f6a148835c6b9e8f4ea8fc03c810628197f07dd38dd1
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 4deb0b62ca6bed2fa6a44367b456c2ab057c0f4f5e284071d2ebbd93a586d0bc
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 9F2126B1A00A06AFD714DF6AC185659FBF4FB48314F50822ED01997A80D774F964CFD4
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 004171B7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,?), ref: 00417217
                                                                                                                                                                                                                                • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00417224
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3315694164.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: AddressProc__crt_fast_encode_pointer
                                                                                                                                                                                                                                • String ID: -@
                                                                                                                                                                                                                                • API String ID: 2279764990-2564449678
                                                                                                                                                                                                                                • Opcode ID: dc50904c779d9d650c94e7699dac49ecaf35141d5acdb291f08ec5f954601914
                                                                                                                                                                                                                                • Instruction ID: be5354ef9640d5baeda707f88ba0ee7c606e7dd11eb492dad25bcfdc379f5c6d
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: dc50904c779d9d650c94e7699dac49ecaf35141d5acdb291f08ec5f954601914
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E7110633A04120ABAB369E19EC809DB73B9AB843207164272FD15AB344DB34DCC2C6D9
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 004034E3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 58COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3315694164.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: H_prolog
                                                                                                                                                                                                                                • String ID: /cpa/ping.php?substr=%s&s=ab&sub=%s$one
                                                                                                                                                                                                                                • API String ID: 3519838083-2876206925
                                                                                                                                                                                                                                • Opcode ID: f5393bbe0179e56c72e8d6aed76511a95c4a66d15052c3b77f8b18530fd2a227
                                                                                                                                                                                                                                • Instruction ID: 23fc970319ec432bccea8ea3542248735fa0f2929cdefa52ec0488ef77b85577
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f5393bbe0179e56c72e8d6aed76511a95c4a66d15052c3b77f8b18530fd2a227
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: BD11C232A00014BBDB04AF899C01BAEBB69EF45315F40012FF405A3292D3799A518BA8
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 00402FE5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • __EH_prolog.LIBCMT ref: 00402FEA
                                                                                                                                                                                                                                • std::locale::_Init.LIBCPMT ref: 0040300E
                                                                                                                                                                                                                                  • Part of subcall function 00407D73: __EH_prolog3.LIBCMT ref: 00407D7A
                                                                                                                                                                                                                                  • Part of subcall function 00407D73: std::_Lockit::_Lockit.LIBCPMT ref: 00407D85
                                                                                                                                                                                                                                  • Part of subcall function 00407D73: std::locale::_Setgloballocale.LIBCPMT ref: 00407DA0
                                                                                                                                                                                                                                  • Part of subcall function 00407D73: _Yarn.LIBCPMT ref: 00407DB6
                                                                                                                                                                                                                                  • Part of subcall function 00407D73: std::_Lockit::~_Lockit.LIBCPMT ref: 00407DF6
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3315694164.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: Lockitstd::_std::locale::_$H_prologH_prolog3InitLockit::_Lockit::~_SetgloballocaleYarn
                                                                                                                                                                                                                                • String ID: T*@
                                                                                                                                                                                                                                • API String ID: 4198646248-2370032326
                                                                                                                                                                                                                                • Opcode ID: 7dfcf93c417fa76e04d3e3a4fed8d4ff5bf7dd665a8af5c4b3da1b51d53f7e53
                                                                                                                                                                                                                                • Instruction ID: c469f1781f4eb74895915257e237cd09ecdba2ecacf51dc6ab7e16c1717fddcf
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7dfcf93c417fa76e04d3e3a4fed8d4ff5bf7dd665a8af5c4b3da1b51d53f7e53
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F921B0B5A00A06AFC305DF6AD581995FBF8FF49314B40822FE80987B50E774A964CFA4
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 0040436E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • __EH_prolog.LIBCMT ref: 00404373
                                                                                                                                                                                                                                  • Part of subcall function 00403A42: __EH_prolog.LIBCMT ref: 00403A47
                                                                                                                                                                                                                                • __Getcoll.LIBCPMT ref: 004043CF
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3315694164.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: H_prolog$Getcoll
                                                                                                                                                                                                                                • String ID: u@@
                                                                                                                                                                                                                                • API String ID: 206117190-736001340
                                                                                                                                                                                                                                • Opcode ID: da0bdbbc3b0f42b801ac3b2eb85bb2a3e1abbe298574f711ddba54968d2ab91f
                                                                                                                                                                                                                                • Instruction ID: 22f8a194e856adbcf5db44b98b1892bbe0116132472f20e5c64479f843611134
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: da0bdbbc3b0f42b801ac3b2eb85bb2a3e1abbe298574f711ddba54968d2ab91f
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 511170B19012099FCB04EFA9C581A9DBBB4FF84308F10843FE545BB281D7789A44CB95
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 049A45D5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • __EH_prolog.LIBCMT ref: 049A45DA
                                                                                                                                                                                                                                  • Part of subcall function 049A3CA9: __EH_prolog.LIBCMT ref: 049A3CAE
                                                                                                                                                                                                                                • __Getcoll.LIBCPMT ref: 049A4636
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3337248481.00000000049A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_49a0000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: H_prolog$Getcoll
                                                                                                                                                                                                                                • String ID: cwB
                                                                                                                                                                                                                                • API String ID: 206117190-1299997670
                                                                                                                                                                                                                                • Opcode ID: 8ac08cb90d6c8a0e3a8eafc8112a944c2dcf30f0700bdbfcd0b9c4691759611c
                                                                                                                                                                                                                                • Instruction ID: f3c61a9603eaa4f51ab54609f5ea8776657e6ec3be4b6a0084f82424b4833745
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8ac08cb90d6c8a0e3a8eafc8112a944c2dcf30f0700bdbfcd0b9c4691759611c
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 511179B2D00209EFDB14EFA8D484A9DBBF4FF84318F10803ED015AB200DB74AA54CBA1
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 049A1A6D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3337248481.00000000049A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_49a0000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: H_prolog
                                                                                                                                                                                                                                • String ID: ?uB$ios_base::failbit set
                                                                                                                                                                                                                                • API String ID: 3519838083-946796157
                                                                                                                                                                                                                                • Opcode ID: 234de090022dfe67052ebfa9b3a4f165bdb172cecaf10e59d262a8163687a49b
                                                                                                                                                                                                                                • Instruction ID: f86c42352bd8cc71bfbbf74e4ac200872bf5410c25cbdb7c723c61346d4157fb
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 234de090022dfe67052ebfa9b3a4f165bdb172cecaf10e59d262a8163687a49b
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 3E0171725101099FDB04EF98C444BFDFBB8EF89318F14816EE401A7250D7B46A45CBE4
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 0041A6D4 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000,?), ref: 0041A76A
                                                                                                                                                                                                                                • GetLastError.KERNEL32 ref: 0041A778
                                                                                                                                                                                                                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000), ref: 0041A7D3
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3315694164.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ByteCharMultiWide$ErrorLast
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1717984340-0
                                                                                                                                                                                                                                • Opcode ID: 796b5502bf3758a62d3774a2a03d829f786e940855c074945e7165fbf0666ef5
                                                                                                                                                                                                                                • Instruction ID: 87839b596d2bb0c5de59c8c1227ac8d795198cb32e80a538f680ccd386729a76
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 796b5502bf3758a62d3774a2a03d829f786e940855c074945e7165fbf0666ef5
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 04410830602246AFCF219F69C944AEF7BB4AF01310F15416AEC6997291DB38CDA2C75A
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 049BA93B Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000,?), ref: 049BA9D1
                                                                                                                                                                                                                                • GetLastError.KERNEL32 ref: 049BA9DF
                                                                                                                                                                                                                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000), ref: 049BAA3A
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000008.00000002.3337248481.00000000049A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_49a0000_JPl4ZLOvy3fY5RSXGk5s9Gl5.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ByteCharMultiWide$ErrorLast
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1717984340-0
                                                                                                                                                                                                                                • Opcode ID: e2dcd7916019b3a733183e7ba2e3bccfca86bceaf396c0a8a97430b0cc35b528
                                                                                                                                                                                                                                • Instruction ID: 9fffa22c0f4a94a8ad6160003ca8702d17ffab3c2cf5220de227be76cb1baad9
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e2dcd7916019b3a733183e7ba2e3bccfca86bceaf396c0a8a97430b0cc35b528
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8441E830600206AFDF218F65CB48AEE7BAADF41310F158579F9D9971A0DB30A901D7F4
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Non-executed Functions

                                                                                                                                                                                                                                Function 00433840 Relevance: 12.7, Strings: 10, Instructions: 172COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                • bad g0 stackbad recoverybad value %dbootmgfw.efibuild_numberc ap trafficc hs trafficcaller errorcan't happencas64 failedcdn is emptychan receiveclose notifycontent-typecontext.TODOcountry_codedse disableddumping heapend tracegcentersyscallexit status failed t, xrefs: 00433A4A
                                                                                                                                                                                                                                • CreateWaitableTimerEx when creating timer failedHKCU\Software\Classes\mscfile\shell\open\commandMozilla/4.0 (compatible; MSIE 5.15; Mac_PowerPC)SELECT OSArchitecture FROM Win32_OperatingSystem"%s" --nt-service -f "%s" --Log "notice file %s"bufio: writer return, xrefs: 00433B00
                                                                                                                                                                                                                                • runtime: VirtualQuery failed; errno=runtime: bad notifyList size - sync=runtime: inconsistent write deadlineruntime: invalid pc-encoded table f=runtime: invalid typeBitsBulkBarrierruntime: marked free object in span runtime: mcall called on m->g0 stackruntime:, xrefs: 00433A71
                                                                                                                                                                                                                                • ,/=MOScghs ( + , / @ P [ %q%v(") )()*., ->-r-t.\///C/d/f/i/q/s/v000X0b0o0s0x25536480: :]; =#> ??A3A4AVB:CNCcCfCoCsLlLmLoLtLuMcMeMnNdNlNoOKOUPCPcPdPePfPiPoPsSBSTScSkSmSoTeToV1V2V3V5V6V7YiZlZpZs")":"\*\D\E\S\W\"\\\d\n\r\s\w ])]:][]dsh2i)idipivmsn=nsos, xrefs: 00433A05
                                                                                                                                                                                                                                • VirtualQuery for stack base failedadding nil Certificate to CertPoolarchive/tar: header field too longchacha20: wrong HChaCha20 key sizecouldn't create a new cipher blockcrypto/aes: invalid buffer overlapcrypto/des: invalid buffer overlapcrypto/rc4: invalid bu, xrefs: 00433AA5
                                                                                                                                                                                                                                • runtime: CreateWaitableTimerEx failed; errno=runtime: failed mSpanList.remove span.npages=tls: internal error: failed to update binderstls: internal error: unexpected renegotiationtransform: input and output are not identicaltransitioning GC to the same state , xrefs: 00433ACC
                                                                                                                                                                                                                                • runtime.minit: duplicatehandle failed; errno=runtime: CreateWaitableTimerEx failed; errno=runtime: failed mSpanList.remove span.npages=tls: internal error: failed to update binderstls: internal error: unexpected renegotiationtransform: input and output are not, xrefs: 00433B27
                                                                                                                                                                                                                                • runtime: g0 stack [runtime: pcdata is runtime: preempt g0semaRoot rotateLeftset HTTPS proxy: %wsignature not foundskip this directorystopm holding lockssync.Cond is copiedsysMemStat overflowtoo many open filesunexpected InstFailunexpected data: %vunexpected g , xrefs: 004339DB
                                                                                                                                                                                                                                • %, xrefs: 00433B64
                                                                                                                                                                                                                                • runtime.minit: duplicatehandle failedruntime: allocation size out of rangeruntime: unexpected SPWRITE function setprofilebucket: profile already setstartTheWorld: inconsistent mp->nextptimezone hour outside of range [0,23]tls: failed to verify certificate: %st, xrefs: 00433B5B
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000A.00000002.3312022979.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000A.00000002.3312022979.0000000000840000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000A.00000002.3312022979.0000000000843000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000A.00000002.3312022979.0000000000ACD000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_10_2_400000_JIsbjewlnghreiCB15kllzTk.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID: %$,/=MOScghs ( + , / @ P [ %q%v(") )()*., ->-r-t.\///C/d/f/i/q/s/v000X0b0o0s0x25536480: :]; =#> ??A3A4AVB:CNCcCfCoCsLlLmLoLtLuMcMeMnNdNlNoOKOUPCPcPdPePfPiPoPsSBSTScSkSmSoTeToV1V2V3V5V6V7YiZlZpZs")":"\*\D\E\S\W\"\\\d\n\r\s\w ])]:][]dsh2i)idipivmsn=nsos$CreateWaitableTimerEx when creating timer failedHKCU\Software\Classes\mscfile\shell\open\commandMozilla/4.0 (compatible; MSIE 5.15; Mac_PowerPC)SELECT OSArchitecture FROM Win32_OperatingSystem"%s" --nt-service -f "%s" --Log "notice file %s"bufio: writer return$VirtualQuery for stack base failedadding nil Certificate to CertPoolarchive/tar: header field too longchacha20: wrong HChaCha20 key sizecouldn't create a new cipher blockcrypto/aes: invalid buffer overlapcrypto/des: invalid buffer overlapcrypto/rc4: invalid bu$bad g0 stackbad recoverybad value %dbootmgfw.efibuild_numberc ap trafficc hs trafficcaller errorcan't happencas64 failedcdn is emptychan receiveclose notifycontent-typecontext.TODOcountry_codedse disableddumping heapend tracegcentersyscallexit status failed t$runtime.minit: duplicatehandle failed; errno=runtime: CreateWaitableTimerEx failed; errno=runtime: failed mSpanList.remove span.npages=tls: internal error: failed to update binderstls: internal error: unexpected renegotiationtransform: input and output are not$runtime.minit: duplicatehandle failedruntime: allocation size out of rangeruntime: unexpected SPWRITE function setprofilebucket: profile already setstartTheWorld: inconsistent mp->nextptimezone hour outside of range [0,23]tls: failed to verify certificate: %st$runtime: CreateWaitableTimerEx failed; errno=runtime: failed mSpanList.remove span.npages=tls: internal error: failed to update binderstls: internal error: unexpected renegotiationtransform: input and output are not identicaltransitioning GC to the same state $runtime: VirtualQuery failed; errno=runtime: bad notifyList size - sync=runtime: inconsistent write deadlineruntime: invalid pc-encoded table f=runtime: invalid typeBitsBulkBarrierruntime: marked free object in span runtime: mcall called on m->g0 stackruntime:$runtime: g0 stack [runtime: pcdata is runtime: preempt g0semaRoot rotateLeftset HTTPS proxy: %wsignature not foundskip this directorystopm holding lockssync.Cond is copiedsysMemStat overflowtoo many open filesunexpected InstFailunexpected data: %vunexpected g
                                                                                                                                                                                                                                • API String ID: 0-2845907608
                                                                                                                                                                                                                                • Opcode ID: 4861b8a6a2a3058dc2e1ec19f5ab3598cb0c009544e4972bfa7db612a91145a9
                                                                                                                                                                                                                                • Instruction ID: 54d86a38c7ca5e9b4d361dfb47ed8c6cf3eb888c171a558932b5f88d5bc68312
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 4861b8a6a2a3058dc2e1ec19f5ab3598cb0c009544e4972bfa7db612a91145a9
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8281CFB45097018FD700EF66C18575AFBE0BF88708F41992EF49887392EB789949CF5A
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 00443890 Relevance: 5.1, Strings: 4, Instructions: 81COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                • releasep: m=remote errorremoving appruntime: gp=runtime: sp=s ap traffics hs trafficself-preemptsetupapi.dllshort bufferspanSetSpinesweepWaiterstraceStringstraffic/readtransmitfileulrichard.chunexpected )unknown portunknown typevmacthlp.exevmtoolsd.exewatchdog, xrefs: 00443929
                                                                                                                                                                                                                                • m->p= max= min= next= p->m= prev= span=% util%s.exe%s.sys%s: %s(...), i = , not , val -BEFV--DYOR--FMLD--FZTA--IRXC--JFQI--JQGP--JSKV--JZUF--KGQJ--KSFO--MKND--MOHU--NSFS--PFQJ--PLND--RTMD--VRSM--XQVL-.local.onion/%d-%s370000390625:31461<-chanAcceptAnswerAr, xrefs: 0044394B
                                                                                                                                                                                                                                • p->status= s.nelems= schedtick= span.list= timerslen=$WINDIR\rss%!(BADPREC)%s (%d): %s) at entry+, elemsize=, npages = , settings:.WithCancel/dev/stderr/dev/stdout/index.html30517578125: frame.sp=BLAKE2b-256BLAKE2b-384BLAKE2b-512BLAKE2s-256Bad GatewayBad Req, xrefs: 00443997
                                                                                                                                                                                                                                • releasep: invalid argremoving command appsruntime: confused by runtime: newstack at runtime: newstack sp=runtime: searchIdx = runtime: work.nwait= sequence tag mismatchstale NFS file handlestartlockedm: m has pstartm: m is spinningstate not recoverablestun.sip, xrefs: 004439E1
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000A.00000002.3312022979.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000A.00000002.3312022979.0000000000840000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000A.00000002.3312022979.0000000000843000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000A.00000002.3312022979.0000000000ACD000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_10_2_400000_JIsbjewlnghreiCB15kllzTk.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID: m->p= max= min= next= p->m= prev= span=% util%s.exe%s.sys%s: %s(...), i = , not , val -BEFV--DYOR--FMLD--FZTA--IRXC--JFQI--JQGP--JSKV--JZUF--KGQJ--KSFO--MKND--MOHU--NSFS--PFQJ--PLND--RTMD--VRSM--XQVL-.local.onion/%d-%s370000390625:31461<-chanAcceptAnswerAr$ p->status= s.nelems= schedtick= span.list= timerslen=$WINDIR\rss%!(BADPREC)%s (%d): %s) at entry+, elemsize=, npages = , settings:.WithCancel/dev/stderr/dev/stdout/index.html30517578125: frame.sp=BLAKE2b-256BLAKE2b-384BLAKE2b-512BLAKE2s-256Bad GatewayBad Req$releasep: invalid argremoving command appsruntime: confused by runtime: newstack at runtime: newstack sp=runtime: searchIdx = runtime: work.nwait= sequence tag mismatchstale NFS file handlestartlockedm: m has pstartm: m is spinningstate not recoverablestun.sip$releasep: m=remote errorremoving appruntime: gp=runtime: sp=s ap traffics hs trafficself-preemptsetupapi.dllshort bufferspanSetSpinesweepWaiterstraceStringstraffic/readtransmitfileulrichard.chunexpected )unknown portunknown typevmacthlp.exevmtoolsd.exewatchdog
                                                                                                                                                                                                                                • API String ID: 0-3530339137
                                                                                                                                                                                                                                • Opcode ID: 147a754e04b331b36706bf54a1f15f1a33f6f9f3812af3793d82f5f849fb4b27
                                                                                                                                                                                                                                • Instruction ID: 41eda2ad12dc9040aabd0b4fda58d31df6fc94468559f7c6cc3daccb715ab915
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 147a754e04b331b36706bf54a1f15f1a33f6f9f3812af3793d82f5f849fb4b27
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 9C31E2B45087418FD700EF25C185B1AFBE1BF88708F45882EF4888B352DB789948CB6A
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Execution Graph

                                                                                                                                                                                                                                Execution Coverage:1%
                                                                                                                                                                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                                Signature Coverage:1.2%
                                                                                                                                                                                                                                Total number of Nodes:1944
                                                                                                                                                                                                                                Total number of Limit Nodes:15
                                                                                                                                                                                                                                execution_graph 12720 6b92e530 12721 6b92e56b ConnectNamedPipe 12720->12721 12722 6b92e557 GetLastError 12721->12722 12724 6b92e564 12721->12724 12722->12724 12725 6b92e566 DisconnectNamedPipe 12724->12725 12726 6b92e594 12724->12726 12732 6b92e5a4 12724->12732 12737 6b92e700 12724->12737 12834 6b9f62f0 GetLastError 12724->12834 12835 6b9f6300 12724->12835 12842 6b9d6770 12724->12842 12849 6b889de0 12724->12849 12725->12721 12729 6b92e59b 12726->12729 12726->12732 12819 6b905fc0 CloseHandle 12729->12819 12730 6b92e5b7 12827 6b9a3b9b 12732->12827 12854 6b9289c0 12737->12854 12740 6b9a3b9b _ValidateLocalCookies 5 API calls 12744 6b92ea3b 12740->12744 12741 6b92ea61 12745 6b92ea75 12741->12745 12758 6b92eced 12741->12758 12742 6b92ea9c 12743 6b92eaa5 12742->12743 12756 6b92ed3d 12742->12756 12747 6b928a10 132 API calls 12743->12747 12744->12724 12746 6b928a10 132 API calls 12745->12746 12818 6b92ea2e 12746->12818 12747->12818 12749 6b92e7ac OpenProcess 12751 6b92eb44 ImpersonateNamedPipeClient 12749->12751 12752 6b92e7ca TryAcquireSRWLockExclusive 12749->12752 12750 6b92ec16 12753 6b8890f0 126 API calls 12750->12753 12750->12818 12755 6b92eb53 OpenProcess RevertToSelf 12751->12755 12774 6b92ebc3 12751->12774 12754 6b92e75b 12752->12754 12760 6b92ec41 12753->12760 12754->12749 12754->12752 12757 6b92eafa 12754->12757 12769 6b92eb86 12754->12769 12790 6b92ec7c 12754->12790 12798 6b92e938 ReleaseSRWLockExclusive GetCurrentProcess DuplicateHandle 12754->12798 12804 6b9a3359 3 API calls 12754->12804 12811 6b92e908 12754->12811 12813 6b92ea45 12754->12813 12859 6b9a3359 12754->12859 12895 6b9a33f7 EnterCriticalSection 12754->12895 12909 6b9664c0 AcquireSRWLockExclusive 12754->12909 12910 6b9d98a0 12754->12910 12755->12754 12763 6b92ed8d 12755->12763 12764 6b8890f0 126 API calls 12756->12764 12756->12818 12757->12754 12900 6b906be0 LoadLibraryW 12757->12900 12904 6b9a346d EnterCriticalSection LeaveCriticalSection 12757->12904 12759 6b8890f0 126 API calls 12758->12759 12758->12818 12766 6b92ed18 12759->12766 12767 6b9d6770 101 API calls 12760->12767 12975 6b9f7800 12763->12975 12770 6b92ed68 12764->12770 12772 6b9d6770 101 API calls 12766->12772 12773 6b92ec54 12767->12773 12768 6b92e7eb CreateEventW CreateEventW CreateEventW 12869 6b92dfd0 12768->12869 12769->12818 12929 6b8890f0 12769->12929 12776 6b9d6770 101 API calls 12770->12776 12777 6b92ed2b 12772->12777 12939 6b77db10 12773->12939 12774->12818 12938 6b9f62f0 GetLastError 12774->12938 12781 6b92ed7b 12776->12781 12963 6b77e1a0 12777->12963 12786 6b77dd40 101 API calls 12781->12786 12786->12818 12788 6b9d6770 101 API calls 12793 6b92ec6e 12788->12793 12797 6b8890f0 126 API calls 12790->12797 12790->12818 12792 6b92ebb1 12800 6b9d6770 101 API calls 12792->12800 12795 6b77db10 101 API calls 12793->12795 12795->12818 12799 6b92eca7 12797->12799 12801 6b92e98d 12798->12801 12803 6b9d6770 101 API calls 12799->12803 12805 6b92ecd4 12800->12805 12809 6b92e996 GetCurrentProcess DuplicateHandle 12801->12809 12807 6b92ecba 12803->12807 12804->12754 12808 6b77dd40 101 API calls 12805->12808 12951 6b77dd40 12807->12951 12808->12818 12812 6b92e9cc 12809->12812 12811->12813 12814 6b92e929 12811->12814 12815 6b92e9d5 GetCurrentProcess DuplicateHandle 12812->12815 12813->12741 12813->12742 12814->12798 12816 6b92ea0e 12815->12816 12881 6b928a10 12816->12881 12818->12740 12820 6b905fe1 12819->12820 12822 6b905ff2 12819->12822 12821 6b9a3b9b _ValidateLocalCookies 5 API calls 12820->12821 12823 6b905feb 12821->12823 12824 6b9f7800 127 API calls 12822->12824 12823->12732 12825 6b906014 12824->12825 14472 6b9db090 12825->14472 12828 6b9a3ba3 12827->12828 12829 6b9a3ba4 IsProcessorFeaturePresent 12827->12829 12828->12730 12831 6b9a4133 12829->12831 14476 6b9a4218 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 12831->14476 12833 6b9a4216 12833->12730 14477 6b95b050 12835->14477 12838 6b981bd0 13 API calls 12839 6b9f633b 12838->12839 12840 6b889190 105 API calls 12839->12840 12841 6b9f6344 12840->12841 12841->12724 12843 6b9d67a0 12842->12843 12844 6b959b40 97 API calls 12843->12844 12845 6b77d550 97 API calls 12843->12845 12847 6b9639b0 82 API calls 12843->12847 12848 6b8597a0 89 API calls 12843->12848 14483 6b9599e0 12843->14483 12844->12843 12845->12843 12847->12843 12848->12843 14496 6b889e50 12849->14496 12851 6b889df2 14505 6b981c00 SetLastError 12851->14505 12853 6b889e0a 12978 6b928800 12854->12978 12857 6b9a3b9b _ValidateLocalCookies 5 API calls 12858 6b9289fd 12857->12858 12858->12750 12858->12754 12858->12813 12858->12818 12862 6b9a335e 12859->12862 12861 6b9a3378 12861->12768 12862->12861 12865 6b9a337a 12862->12865 12992 6b895940 12862->12992 12996 6b9b2599 12862->12996 12864 6b9a3cbc 12866 6b9a4dfc RaiseException 12864->12866 12865->12864 12999 6b9a4dfc 12865->12999 12868 6b9a3cd9 12866->12868 12868->12768 12870 6b92dfeb 12869->12870 13016 6b92edd0 RegisterWaitForSingleObject 12870->13016 12873 6b92e07a 12875 6b92e0a2 12873->12875 12876 6b92e08e 12873->12876 12877 6b905fc0 128 API calls 12873->12877 12874 6b905fc0 128 API calls 12874->12873 12878 6b905fc0 128 API calls 12875->12878 12880 6b92e0b6 12875->12880 12876->12875 12879 6b905fc0 128 API calls 12876->12879 12877->12876 12878->12880 12879->12875 12880->12754 12882 6b928a3f 12881->12882 12886 6b928a62 12882->12886 12894 6b928a64 12882->12894 13036 6b928b90 12882->13036 12884 6b9a3b9b _ValidateLocalCookies 5 API calls 12885 6b928a73 12884->12885 12885->12818 12886->12894 13039 6b9f62f0 GetLastError 12886->13039 12894->12884 12896 6b9a340b 12895->12896 12897 6b9a3410 LeaveCriticalSection 12896->12897 13044 6b9a34b7 12896->13044 12897->12754 12901 6b906c16 12900->12901 12903 6b906bf0 GetProcAddress 12900->12903 12901->12757 12903->12901 12905 6b9a3505 12904->12905 12906 6b9a3510 WakeAllConditionVariable 12905->12906 12907 6b9a3521 SetEvent ResetEvent 12905->12907 12906->12757 12907->12757 12909->12754 12911 6b9d98c0 12910->12911 13049 6b964810 12911->13049 12913 6b9d98eb 12914 6b9d98fd 12913->12914 12915 6b9d9ac3 12913->12915 12917 6b9d9ad2 12914->12917 12922 6b9d9925 12914->12922 12916 6b9d98a0 78 API calls 12915->12916 12916->12917 13064 6b9b53f8 12917->13064 12923 6b964810 78 API calls 12922->12923 12925 6b9d9a3c 12923->12925 12924 6b9b53f8 ___std_exception_copy 11 API calls 12926 6b9d9ae8 12924->12926 12925->12751 13078 6b9d9e40 12926->13078 13832 6b963470 12929->13832 12935 6b889179 13843 6b889190 12935->13843 12937 6b889182 12937->12792 12940 6b77dc85 12939->12940 12941 6b77db5a 12939->12941 12942 6b959b40 97 API calls 12940->12942 12943 6b77d550 97 API calls 12941->12943 12945 6b77db73 12941->12945 12944 6b77dc8d 12942->12944 12943->12945 12944->12788 12946 6b9639b0 82 API calls 12945->12946 12947 6b77dba5 12946->12947 12948 6b9639b0 82 API calls 12947->12948 12949 6b77dbe9 12947->12949 12948->12949 12949->12940 12950 6b8597a0 89 API calls 12949->12950 12950->12940 12952 6b77deb5 12951->12952 12953 6b77dd8a 12951->12953 12954 6b959b40 97 API calls 12952->12954 12955 6b77dda3 12953->12955 12957 6b77d550 97 API calls 12953->12957 12956 6b77debd 12954->12956 12958 6b9639b0 82 API calls 12955->12958 12956->12792 12957->12955 12959 6b77ddd5 12958->12959 12960 6b9639b0 82 API calls 12959->12960 12962 6b77de19 12959->12962 12960->12962 12961 6b8597a0 89 API calls 12961->12952 12962->12952 12962->12961 12964 6b77e1ea 12963->12964 12965 6b77e318 12963->12965 12968 6b77d550 97 API calls 12964->12968 12969 6b77e203 12964->12969 12966 6b959b40 97 API calls 12965->12966 12967 6b77e320 12966->12967 12967->12818 12968->12969 12970 6b9639b0 82 API calls 12969->12970 12971 6b77e235 12970->12971 12972 6b9639b0 82 API calls 12971->12972 12973 6b77e279 12971->12973 12972->12973 12973->12965 12974 6b8597a0 89 API calls 12973->12974 12974->12965 14458 6b894120 12975->14458 12982 6b92882a 12978->12982 12979 6b92888e 12980 6b9a3b9b _ValidateLocalCookies 5 API calls 12979->12980 12981 6b92889a 12980->12981 12981->12857 12982->12979 12983 6b8890f0 126 API calls 12982->12983 12984 6b9288e3 12983->12984 12985 6b9d6770 101 API calls 12984->12985 12986 6b9288f6 12985->12986 12987 6b77dd40 101 API calls 12986->12987 12988 6b928901 12987->12988 12989 6b9d6770 101 API calls 12988->12989 12990 6b92890e 12989->12990 12991 6b77dd40 101 API calls 12990->12991 12991->12979 12994 6b89594f 12992->12994 12993 6b89597c 12993->12862 12994->12993 13002 6ba04130 12994->13002 12997 6b9b25d4 ___std_exception_copy 2 API calls 12996->12997 12998 6b9b25a4 12997->12998 12998->12862 13000 6b9a4e43 RaiseException 12999->13000 13001 6b9a4e16 12999->13001 13000->12864 13001->13000 13005 6b9b25d4 13002->13005 13006 6b9b25e0 ___std_exception_copy 13005->13006 13011 6b9c44f1 EnterCriticalSection 13006->13011 13008 6b9b25eb ___std_exception_copy 13012 6b9b2622 13008->13012 13011->13008 13015 6b9c4508 LeaveCriticalSection 13012->13015 13014 6b9b260d 13014->12994 13015->13014 13017 6b92ee03 RegisterWaitForSingleObject 13016->13017 13018 6b92ee4f 13016->13018 13019 6b92ee1d RegisterWaitForSingleObject 13017->13019 13022 6b92ee98 13017->13022 13018->13017 13024 6b8890f0 126 API calls 13018->13024 13021 6b92eee5 13019->13021 13035 6b92ee38 13019->13035 13020 6b9a3b9b _ValidateLocalCookies 5 API calls 13023 6b92e068 13020->13023 13029 6b8890f0 126 API calls 13021->13029 13021->13035 13022->13019 13025 6b8890f0 126 API calls 13022->13025 13023->12873 13023->12874 13023->12875 13026 6b92ee76 13024->13026 13027 6b92eec3 13025->13027 13028 6b9d6770 101 API calls 13026->13028 13030 6b9d6770 101 API calls 13027->13030 13031 6b92ee89 13028->13031 13032 6b92ef10 13029->13032 13033 6b92eed6 13030->13033 13031->13017 13034 6b9d6770 101 API calls 13032->13034 13033->13019 13034->13035 13035->13020 13040 6b929bc0 WriteFile 13036->13040 13041 6b929c02 13040->13041 13042 6b9a3b9b _ValidateLocalCookies 5 API calls 13041->13042 13043 6b928ba1 13042->13043 13043->12882 13045 6b9a34de LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 13044->13045 13046 6b9a34c5 SleepConditionVariableCS 13044->13046 13047 6b9a3502 13045->13047 13046->13047 13047->12896 13050 6b964965 13049->13050 13051 6b96484f 13049->13051 13055 6b9648d1 ___std_exception_copy 13050->13055 13098 6b9d6720 13050->13098 13051->13050 13052 6b964888 13051->13052 13051->13055 13053 6b9a3359 3 API calls 13052->13053 13056 6b9648b6 13053->13056 13055->12913 13056->13055 13057 6b9d98a0 78 API calls 13056->13057 13058 6b9649ec 13057->13058 13059 6b9d98a0 78 API calls 13058->13059 13061 6b964a49 13058->13061 13060 6b964aca 13059->13060 13062 6b964b04 13060->13062 13101 6b95ad50 13060->13101 13061->12913 13062->12913 13117 6b9c36ab GetLastError 13064->13117 13066 6b9b53fd 13067 6b9c054f 13066->13067 13068 6b9c05b2 13067->13068 13069 6b9c36ab ___std_exception_copy 11 API calls 13068->13069 13070 6b9c05bf 13069->13070 13071 6b9c060b 13070->13071 13072 6b8959e0 ___std_exception_copy 2 API calls 13070->13072 13073 6b9c05d8 ___std_exception_copy 13070->13073 13071->12924 13072->13073 13073->13071 13192 6b9cf8c9 13073->13192 13077 6b9c0624 13086 6b9d9e71 ___std_exception_copy 13078->13086 13080 6b9d9ee1 13256 6b7ee630 13080->13256 13082 6b9d9ef5 13083 6b9d9f41 13082->13083 13088 6b9d9f06 13082->13088 13262 6b9da030 13083->13262 13085 6b9d9f5b _strlen 13268 6b9da0b0 13085->13268 13086->13080 13086->13082 13252 6b9a8874 13086->13252 13089 6b9a3b9b _ValidateLocalCookies 5 API calls 13088->13089 13091 6b9d9b0d 13089->13091 13093 6b9d9fa7 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 13278 6b9da130 13093->13278 13095 6b9da006 13284 6b7eea00 13095->13284 13112 6b9d6730 13098->13112 13102 6b95ae1c 13101->13102 13105 6b95ad70 13101->13105 13103 6b9d6720 78 API calls 13102->13103 13104 6b95ada3 13103->13104 13106 6b9a3359 3 API calls 13104->13106 13105->13104 13114 6b9d6740 13105->13114 13108 6b95adaf 13106->13108 13109 6b95adee 13108->13109 13110 6b9d98a0 78 API calls 13108->13110 13109->13062 13111 6b95ae7b 13110->13111 13113 6b9d98a0 78 API calls 13112->13113 13115 6b9d98a0 78 API calls 13114->13115 13116 6b9d674d 13115->13116 13118 6b9c36c7 13117->13118 13119 6b9c36c1 13117->13119 13135 6b9c36cb ___std_exception_copy 13118->13135 13136 6b9c3e13 13118->13136 13145 6b9c3dd4 13119->13145 13123 6b9c3750 SetLastError 13123->13066 13126 6b9c3700 13129 6b9c3e13 ___std_exception_copy 6 API calls 13126->13129 13127 6b9c3711 13128 6b9c3e13 ___std_exception_copy 6 API calls 13127->13128 13130 6b9c371d 13128->13130 13129->13135 13131 6b9c3738 13130->13131 13132 6b9c3721 13130->13132 13150 6b9c389c 13131->13150 13133 6b9c3e13 ___std_exception_copy 6 API calls 13132->13133 13133->13135 13135->13123 13155 6b9c4209 13136->13155 13139 6b9c3e4d TlsSetValue 13140 6b9c36e3 13140->13135 13141 6b8959e0 13140->13141 13142 6b8959ef 13141->13142 13143 6b895a20 13142->13143 13144 6ba04130 ___std_exception_copy 2 API calls 13142->13144 13143->13126 13143->13127 13144->13142 13146 6b9c4209 ___std_exception_copy 5 API calls 13145->13146 13147 6b9c3df0 13146->13147 13148 6b9c3df9 13147->13148 13149 6b9c3e0b TlsGetValue 13147->13149 13148->13118 13170 6b9c3a02 13150->13170 13156 6b9c4239 13155->13156 13161 6b9c3e2f 13155->13161 13156->13161 13162 6b9c413e 13156->13162 13159 6b9c4253 GetProcAddress 13160 6b9c4263 ___std_exception_copy 13159->13160 13159->13161 13160->13161 13161->13139 13161->13140 13168 6b9c414f ___vcrt_FlsSetValue 13162->13168 13163 6b9c41e5 13163->13159 13163->13161 13164 6b9c416d LoadLibraryExW 13165 6b9c41ec 13164->13165 13166 6b9c4188 GetLastError 13164->13166 13165->13163 13167 6b9c41fe FreeLibrary 13165->13167 13166->13168 13167->13163 13168->13163 13168->13164 13169 6b9c41bb LoadLibraryExW 13168->13169 13169->13165 13169->13168 13171 6b9c3a0e ___std_exception_copy 13170->13171 13182 6b9c44f1 EnterCriticalSection 13171->13182 13173 6b9c3a18 13183 6b9c3a48 13173->13183 13176 6b9c3a54 13177 6b9c3a60 ___std_exception_copy 13176->13177 13187 6b9c44f1 EnterCriticalSection 13177->13187 13179 6b9c3a6a ___std_exception_copy 13188 6b9c3aa2 13179->13188 13182->13173 13186 6b9c4508 LeaveCriticalSection 13183->13186 13185 6b9c390a 13185->13176 13186->13185 13187->13179 13191 6b9c4508 LeaveCriticalSection 13188->13191 13190 6b9c3933 13190->13135 13191->13190 13196 6b9cf8d4 13192->13196 13193 6b9cf8ee 13194 6b9c0604 13193->13194 13195 6b9b53f8 ___std_exception_copy 11 API calls 13193->13195 13194->13071 13201 6b9b6c20 IsProcessorFeaturePresent 13194->13201 13197 6b9cf8f8 13195->13197 13196->13193 13196->13194 13199 6b9cf927 13196->13199 13205 6b9b6c10 13197->13205 13199->13194 13200 6b9b53f8 ___std_exception_copy 11 API calls 13199->13200 13200->13197 13202 6b9b6c2c 13201->13202 13246 6b9b6c84 13202->13246 13208 6b9b6e72 13205->13208 13207 6b9b6c1c 13207->13194 13209 6b9b6e84 ___std_exception_copy 13208->13209 13212 6b9b6dcc 13209->13212 13211 6b9b6e9c ___std_exception_copy 13211->13207 13213 6b9b6ddc 13212->13213 13214 6b9b6de3 13212->13214 13221 6b9a8ae0 GetLastError 13213->13221 13218 6b9b6df1 13214->13218 13225 6b9b6e49 13214->13225 13217 6b9b6e18 13217->13218 13219 6b9b6c20 ___std_exception_copy 11 API calls 13217->13219 13218->13211 13220 6b9b6e48 13219->13220 13222 6b9a8af9 13221->13222 13228 6b9c3788 13222->13228 13224 6b9a8b15 SetLastError 13224->13214 13226 6b9b6e6d 13225->13226 13227 6b9b6e54 GetLastError SetLastError 13225->13227 13226->13217 13227->13217 13229 6b9c379b 13228->13229 13233 6b9c37a1 13228->13233 13231 6b9c3dd4 ___std_exception_copy 6 API calls 13229->13231 13230 6b9c3e13 ___std_exception_copy 6 API calls 13232 6b9c37bb 13230->13232 13231->13233 13234 6b8959e0 ___std_exception_copy 2 API calls 13232->13234 13245 6b9c37a7 ___std_exception_copy 13232->13245 13233->13230 13233->13245 13235 6b9c37cb 13234->13235 13236 6b9c37e8 13235->13236 13237 6b9c37d3 13235->13237 13239 6b9c3e13 ___std_exception_copy 6 API calls 13236->13239 13238 6b9c3e13 ___std_exception_copy 6 API calls 13237->13238 13238->13245 13240 6b9c37f4 13239->13240 13241 6b9c37f8 13240->13241 13242 6b9c3807 13240->13242 13244 6b9c3e13 ___std_exception_copy 6 API calls 13241->13244 13243 6b9c389c ___std_exception_copy 2 API calls 13242->13243 13243->13245 13244->13245 13245->13224 13247 6b9b6ca0 ___std_exception_copy 13246->13247 13248 6b9b6ccc IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 13247->13248 13251 6b9b6d9d ___std_exception_copy 13248->13251 13249 6b9a3b9b _ValidateLocalCookies 5 API calls 13250 6b9b6c41 GetCurrentProcess TerminateProcess 13249->13250 13250->13077 13251->13249 13253 6b9a8888 ___std_exception_copy 13252->13253 13290 6b9a8c7b 13253->13290 13255 6b9a88a3 ___std_exception_copy 13255->13086 13257 6b7ee654 13256->13257 13258 6b9a8874 48 API calls 13257->13258 13259 6b7ee66a 13258->13259 13260 6b9a3b9b _ValidateLocalCookies 5 API calls 13259->13260 13261 6b7ee681 13260->13261 13261->13082 13263 6b9da058 13262->13263 13264 6b9a8874 48 API calls 13263->13264 13265 6b9da06e 13264->13265 13266 6b9a3b9b _ValidateLocalCookies 5 API calls 13265->13266 13267 6b9da099 13266->13267 13267->13085 13269 6b9da0d8 13268->13269 13270 6b9a8874 48 API calls 13269->13270 13271 6b9da0ee 13270->13271 13272 6b9a3b9b _ValidateLocalCookies 5 API calls 13271->13272 13273 6b9d9f9a 13272->13273 13274 6b95c180 QueryPerformanceFrequency QueryPerformanceCounter 13273->13274 13275 6b95c200 13274->13275 13276 6b9a3b9b _ValidateLocalCookies 5 API calls 13275->13276 13277 6b95c233 13276->13277 13277->13093 13279 6b9da158 13278->13279 13280 6b9a8874 48 API calls 13279->13280 13281 6b9da16e 13280->13281 13282 6b9a3b9b _ValidateLocalCookies 5 API calls 13281->13282 13283 6b9da199 13282->13283 13283->13095 13285 6b7eea24 13284->13285 13645 6b9a87d0 13285->13645 13287 6b7eea33 13288 6b9a3b9b _ValidateLocalCookies 5 API calls 13287->13288 13289 6b7eea42 13288->13289 13291 6b9a8cca 13290->13291 13292 6b9a8ca7 13290->13292 13291->13292 13294 6b9a8cd2 13291->13294 13293 6b9b6dcc ___std_exception_copy 24 API calls 13292->13293 13298 6b9a8cbf 13293->13298 13299 6b9aa010 13294->13299 13295 6b9a3b9b _ValidateLocalCookies 5 API calls 13296 6b9a8ded 13295->13296 13296->13255 13298->13295 13314 6b9a9f78 13299->13314 13302 6b9aa035 13303 6b9b6dcc ___std_exception_copy 24 API calls 13302->13303 13304 6b9aa052 13303->13304 13304->13298 13309 6b9aa05d 13309->13304 13310 6b9aa139 13309->13310 13318 6b9a8a80 13309->13318 13324 6b9a95db 13309->13324 13327 6b9aa2e4 13309->13327 13361 6b9aa43d 13309->13361 13311 6b9b6dcc ___std_exception_copy 24 API calls 13310->13311 13312 6b9aa153 13311->13312 13313 6b9b6dcc ___std_exception_copy 24 API calls 13312->13313 13313->13304 13315 6b9a9f9c 13314->13315 13316 6b9a9f83 13314->13316 13315->13302 13315->13304 13315->13309 13317 6b9b6dcc ___std_exception_copy 24 API calls 13316->13317 13317->13315 13319 6b9a8a90 13318->13319 13390 6b9c3bc8 13319->13390 13498 6b9ace77 13324->13498 13326 6b9a9616 13326->13309 13328 6b9aa2eb 13327->13328 13329 6b9aa302 13327->13329 13331 6b9aa4c2 13328->13331 13332 6b9aa462 13328->13332 13342 6b9aa341 13328->13342 13330 6b9b6dcc ___std_exception_copy 24 API calls 13329->13330 13329->13342 13335 6b9aa336 13330->13335 13333 6b9aa4fb 13331->13333 13334 6b9aa4c7 13331->13334 13336 6b9aa4e8 13332->13336 13337 6b9aa468 13332->13337 13338 6b9aa518 13333->13338 13339 6b9aa500 13333->13339 13340 6b9aa4c9 13334->13340 13341 6b9aa4f4 13334->13341 13335->13309 13546 6b9ac092 13336->13546 13348 6b9aa4b9 13337->13348 13349 6b9aa46d 13337->13349 13557 6b9a9e06 13338->13557 13339->13336 13339->13348 13360 6b9aa493 13339->13360 13343 6b9aa47c 13340->13343 13351 6b9aa4d8 13340->13351 13553 6b9a9de9 13341->13553 13342->13309 13359 6b9aa521 13343->13359 13521 6b9a9c58 13343->13521 13348->13359 13535 6b9abd78 13348->13535 13349->13343 13352 6b9aa4a6 13349->13352 13349->13360 13351->13336 13353 6b9aa4dc 13351->13353 13352->13359 13531 6b9a9aee 13352->13531 13353->13359 13542 6b9a9e1c 13353->13542 13355 6b9a3b9b _ValidateLocalCookies 5 API calls 13357 6b9aa79a 13355->13357 13357->13309 13359->13355 13360->13359 13560 6b9c5dbb 13360->13560 13362 6b9aa4c2 13361->13362 13363 6b9aa462 13361->13363 13364 6b9aa4fb 13362->13364 13365 6b9aa4c7 13362->13365 13366 6b9aa4e8 13363->13366 13367 6b9aa468 13363->13367 13368 6b9aa518 13364->13368 13369 6b9aa500 13364->13369 13370 6b9aa4c9 13365->13370 13371 6b9aa4f4 13365->13371 13372 6b9ac092 24 API calls 13366->13372 13377 6b9aa4b9 13367->13377 13378 6b9aa46d 13367->13378 13375 6b9a9e06 24 API calls 13368->13375 13369->13366 13369->13377 13387 6b9aa493 13369->13387 13374 6b9aa47c 13370->13374 13381 6b9aa4d8 13370->13381 13373 6b9a9de9 24 API calls 13371->13373 13372->13387 13373->13387 13376 6b9a9c58 47 API calls 13374->13376 13389 6b9aa521 13374->13389 13375->13387 13376->13387 13380 6b9abd78 24 API calls 13377->13380 13377->13389 13378->13374 13379 6b9aa4a6 13378->13379 13378->13387 13383 6b9a9aee 46 API calls 13379->13383 13379->13389 13380->13387 13381->13366 13382 6b9aa4dc 13381->13382 13385 6b9a9e1c 24 API calls 13382->13385 13382->13389 13383->13387 13384 6b9a3b9b _ValidateLocalCookies 5 API calls 13386 6b9aa79a 13384->13386 13385->13387 13386->13309 13388 6b9c5dbb 46 API calls 13387->13388 13387->13389 13388->13387 13389->13384 13391 6b9c3bdf 13390->13391 13392 6b9a8aad 13390->13392 13391->13392 13398 6b9c7256 13391->13398 13394 6b9c3bf9 13392->13394 13395 6b9a8aba 13394->13395 13396 6b9c3c10 13394->13396 13395->13309 13396->13395 13471 6b9c4739 13396->13471 13399 6b9c7262 ___std_exception_copy 13398->13399 13409 6b9c355a GetLastError 13399->13409 13401 6b9c726b 13406 6b9c72b1 13401->13406 13451 6b9c44f1 EnterCriticalSection 13401->13451 13403 6b9c7289 13452 6b9c72b6 13403->13452 13406->13392 13408 6b9c72d6 13410 6b9c3576 13409->13410 13411 6b9c3570 13409->13411 13413 6b9c3e13 ___std_exception_copy 6 API calls 13410->13413 13435 6b9c357a ___std_exception_copy 13410->13435 13412 6b9c3dd4 ___std_exception_copy 6 API calls 13411->13412 13412->13410 13414 6b9c3592 13413->13414 13416 6b8959e0 ___std_exception_copy EnterCriticalSection LeaveCriticalSection 13414->13416 13414->13435 13415 6b9c35ff SetLastError 13417 6b9c360f 13415->13417 13418 6b9c360a 13415->13418 13419 6b9c35a7 13416->13419 13420 6b9b811e 34 API calls 13417->13420 13418->13401 13421 6b9c35af 13419->13421 13422 6b9c35c0 13419->13422 13424 6b9c3614 13420->13424 13425 6b9c3e13 ___std_exception_copy 6 API calls 13421->13425 13423 6b9c3e13 ___std_exception_copy 6 API calls 13422->13423 13426 6b9c35cc 13423->13426 13427 6b9c3626 13424->13427 13430 6b9c3dd4 ___std_exception_copy 6 API calls 13424->13430 13425->13435 13428 6b9c35e7 13426->13428 13429 6b9c35d0 13426->13429 13431 6b9c3e13 ___std_exception_copy 6 API calls 13427->13431 13450 6b9c362c ___std_exception_copy 13427->13450 13433 6b9c389c ___std_exception_copy EnterCriticalSection LeaveCriticalSection 13428->13433 13432 6b9c3e13 ___std_exception_copy 6 API calls 13429->13432 13430->13427 13434 6b9c3640 13431->13434 13432->13435 13433->13435 13438 6b8959e0 ___std_exception_copy EnterCriticalSection LeaveCriticalSection 13434->13438 13434->13450 13435->13415 13436 6b9b811e 34 API calls 13440 6b9c36aa 13436->13440 13437 6b9c3631 ___std_exception_copy 13437->13401 13439 6b9c3650 13438->13439 13441 6b9c366d 13439->13441 13442 6b9c3658 13439->13442 13444 6b9c3e13 ___std_exception_copy 6 API calls 13441->13444 13443 6b9c3e13 ___std_exception_copy 6 API calls 13442->13443 13443->13450 13445 6b9c3679 13444->13445 13446 6b9c368c 13445->13446 13447 6b9c367d 13445->13447 13449 6b9c389c ___std_exception_copy EnterCriticalSection LeaveCriticalSection 13446->13449 13448 6b9c3e13 ___std_exception_copy 6 API calls 13447->13448 13448->13450 13449->13437 13450->13436 13450->13437 13451->13403 13453 6b9c4508 ___std_exception_copy LeaveCriticalSection 13452->13453 13454 6b9c72ad 13453->13454 13454->13406 13455 6b9b811e 13454->13455 13456 6b9bf8ac EnterCriticalSection LeaveCriticalSection 13455->13456 13457 6b9b8123 13456->13457 13458 6b9bfa97 35 API calls 13457->13458 13460 6b9b812e 13457->13460 13458->13460 13459 6b9b8138 IsProcessorFeaturePresent 13461 6b9b8144 13459->13461 13460->13459 13465 6b9b8157 13460->13465 13463 6b9b6c84 ___std_exception_copy 8 API calls 13461->13463 13462 6b9b26c8 14 API calls 13464 6b9b8161 13462->13464 13463->13465 13466 6b9b8183 13464->13466 13467 6b9b53f8 ___std_exception_copy 11 API calls 13464->13467 13465->13462 13466->13408 13468 6b9b8173 13467->13468 13469 6b9b6c10 ___std_exception_copy 24 API calls 13468->13469 13470 6b9b817e 13469->13470 13470->13408 13472 6b9c355a 36 API calls 13471->13472 13473 6b9c473e 13472->13473 13476 6b9c4a71 13473->13476 13475 6b9c4749 13475->13395 13477 6b9c4a7d ___std_exception_copy 13476->13477 13478 6b9c4a97 13477->13478 13479 6b9c44f1 ___std_exception_copy EnterCriticalSection 13477->13479 13480 6b9c4a9e 13478->13480 13481 6b9b811e 36 API calls 13478->13481 13484 6b9c4aa7 ___std_exception_copy 13479->13484 13480->13475 13483 6b9c4b10 13481->13483 13482 6b9c4af0 LeaveCriticalSection 13482->13478 13485 6b9c4a71 45 API calls 13483->13485 13484->13482 13486 6b9c4b3b 13485->13486 13487 6b9c499d 45 API calls 13486->13487 13488 6b9c4b43 13487->13488 13489 6b895940 ___std_exception_copy EnterCriticalSection LeaveCriticalSection 13488->13489 13497 6b9c4b54 ___std_exception_copy 13488->13497 13490 6b9c4b65 13489->13490 13491 6b9c4798 45 API calls 13490->13491 13490->13497 13492 6b9c4ba8 13491->13492 13493 6b9c4bb3 13492->13493 13496 6b9c4bce ___std_exception_copy 13492->13496 13494 6b9b53f8 ___std_exception_copy 11 API calls 13493->13494 13494->13497 13495 6b9c4ecc 26 API calls 13495->13497 13496->13495 13496->13497 13497->13475 13508 6b9ac832 13498->13508 13500 6b9ace89 13501 6b9ace9e 13500->13501 13504 6b9aced1 13500->13504 13507 6b9aceb9 13500->13507 13502 6b9b6dcc ___std_exception_copy 24 API calls 13501->13502 13502->13507 13503 6b9acf68 13505 6b9ace4e 26 API calls 13503->13505 13504->13503 13515 6b9ace4e 13504->13515 13505->13507 13507->13326 13509 6b9ac84a 13508->13509 13510 6b9ac837 13508->13510 13509->13500 13511 6b9b53f8 ___std_exception_copy 11 API calls 13510->13511 13512 6b9ac83c 13511->13512 13513 6b9b6c10 ___std_exception_copy 24 API calls 13512->13513 13514 6b9ac847 13513->13514 13514->13500 13516 6b9ace5f 13515->13516 13517 6b9ace73 13515->13517 13516->13517 13518 6b9b53f8 ___std_exception_copy 11 API calls 13516->13518 13517->13503 13519 6b9ace68 13518->13519 13520 6b9b6c10 ___std_exception_copy 24 API calls 13519->13520 13520->13517 13522 6b9a9c72 13521->13522 13570 6b9ab78c 13522->13570 13524 6b9a9cb1 13574 6b9c528a 13524->13574 13527 6b9a9d68 13529 6b9a8a80 45 API calls 13527->13529 13530 6b9a9d9b 13527->13530 13528 6b9a8a80 45 API calls 13528->13527 13529->13530 13530->13360 13530->13530 13532 6b9a9b09 13531->13532 13533 6b9a9b3f 13532->13533 13534 6b9c5dbb 46 API calls 13532->13534 13533->13360 13534->13533 13536 6b9abd8d 13535->13536 13537 6b9abdaf 13536->13537 13540 6b9abdd6 13536->13540 13538 6b9b6dcc ___std_exception_copy 24 API calls 13537->13538 13539 6b9abdcc 13538->13539 13539->13360 13540->13539 13541 6b9ab78c 2 API calls 13540->13541 13541->13539 13543 6b9a9e32 13542->13543 13544 6b9b6dcc ___std_exception_copy 24 API calls 13543->13544 13545 6b9a9e53 13543->13545 13544->13545 13545->13360 13547 6b9ac0a7 13546->13547 13548 6b9ac0c9 13547->13548 13550 6b9ac0f0 13547->13550 13549 6b9b6dcc ___std_exception_copy 24 API calls 13548->13549 13552 6b9ac0e6 13549->13552 13551 6b9ab78c 2 API calls 13550->13551 13550->13552 13551->13552 13552->13360 13554 6b9a9df5 13553->13554 13635 6b9abf05 13554->13635 13556 6b9a9e05 13556->13360 13558 6b9abd78 24 API calls 13557->13558 13559 6b9a9e1b 13558->13559 13559->13360 13561 6b9c5dd0 13560->13561 13562 6b9c5e11 13561->13562 13564 6b9a8a80 45 API calls 13561->13564 13568 6b9c5dd4 ___std_exception_copy 13561->13568 13569 6b9c5dfd ___std_exception_copy 13561->13569 13562->13568 13562->13569 13642 6b9c999a 13562->13642 13563 6b9b6dcc ___std_exception_copy 24 API calls 13563->13568 13564->13562 13566 6b9c5ecc 13567 6b9c5ee2 GetLastError 13566->13567 13566->13568 13567->13568 13567->13569 13568->13360 13569->13563 13569->13568 13571 6b9ab7b3 13570->13571 13573 6b9ab7a1 ___std_exception_copy 13570->13573 13572 6b895940 ___std_exception_copy 2 API calls 13571->13572 13571->13573 13572->13573 13573->13524 13575 6b9c529b 13574->13575 13576 6b9c52bf 13574->13576 13577 6b9b6dcc ___std_exception_copy 24 API calls 13575->13577 13576->13575 13578 6b9c52f2 13576->13578 13588 6b9a9d44 13577->13588 13579 6b9c532b 13578->13579 13581 6b9c535a 13578->13581 13593 6b9c543f 13579->13593 13580 6b9c5383 13585 6b9c53ea 13580->13585 13586 6b9c53b0 13580->13586 13581->13580 13582 6b9c5388 13581->13582 13601 6b9c5801 13582->13601 13628 6b9c5627 13585->13628 13589 6b9c53b5 13586->13589 13590 6b9c53d0 13586->13590 13588->13527 13588->13528 13611 6b9c5cb2 13589->13611 13621 6b9c5c1c 13590->13621 13594 6b9c5455 13593->13594 13595 6b9c5460 13593->13595 13594->13588 13596 6b9c257c ___std_exception_copy 26 API calls 13595->13596 13597 6b9c54bb 13596->13597 13598 6b9c54c5 13597->13598 13599 6b9b6c20 ___std_exception_copy 11 API calls 13597->13599 13598->13588 13600 6b9c54d3 13599->13600 13602 6b9c5814 13601->13602 13603 6b9c5845 13602->13603 13604 6b9c5823 13602->13604 13606 6b9c585a 13603->13606 13608 6b9c58ad 13603->13608 13605 6b9b6dcc ___std_exception_copy 24 API calls 13604->13605 13610 6b9c583b __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z ___std_exception_copy _strrchr __allrem 13605->13610 13607 6b9c5627 47 API calls 13606->13607 13607->13610 13609 6b9a8a80 45 API calls 13608->13609 13608->13610 13609->13610 13610->13588 13612 6b9d0cba 28 API calls 13611->13612 13613 6b9c5ce2 13612->13613 13614 6b9d0b0f 24 API calls 13613->13614 13615 6b9c5d20 13614->13615 13616 6b9c5d27 13615->13616 13617 6b9c5d60 13615->13617 13618 6b9c5d39 13615->13618 13616->13588 13619 6b9c54d4 47 API calls 13617->13619 13620 6b9c5b2e 45 API calls 13618->13620 13619->13616 13620->13616 13622 6b9d0cba 28 API calls 13621->13622 13623 6b9c5c4b 13622->13623 13624 6b9d0b0f 24 API calls 13623->13624 13625 6b9c5c8c 13624->13625 13626 6b9c5c93 13625->13626 13627 6b9c5b2e 45 API calls 13625->13627 13626->13588 13627->13626 13629 6b9d0cba 28 API calls 13628->13629 13630 6b9c5651 13629->13630 13631 6b9d0b0f 24 API calls 13630->13631 13632 6b9c569f 13631->13632 13633 6b9c56a6 13632->13633 13634 6b9c54d4 47 API calls 13632->13634 13633->13588 13634->13633 13636 6b9abf1a 13635->13636 13637 6b9abf63 13636->13637 13638 6b9abf3c 13636->13638 13640 6b9ab78c 2 API calls 13637->13640 13641 6b9abf59 13637->13641 13639 6b9b6dcc ___std_exception_copy 24 API calls 13638->13639 13639->13641 13640->13641 13641->13556 13644 6b9c99ad 13642->13644 13643 6b9c99eb WideCharToMultiByte 13643->13566 13644->13643 13646 6b9a87e4 ___std_exception_copy 13645->13646 13647 6b9a8806 13646->13647 13649 6b9a882d 13646->13649 13648 6b9b6dcc ___std_exception_copy 24 API calls 13647->13648 13651 6b9a8821 ___std_exception_copy 13648->13651 13652 6b9ac21f 13649->13652 13651->13287 13653 6b9ac22b ___std_exception_copy 13652->13653 13660 6b9a84e4 EnterCriticalSection 13653->13660 13655 6b9ac239 13661 6b9a9edc 13655->13661 13660->13655 13673 6b9c5016 13661->13673 13663 6b9a9f03 13678 6b9a932b 13663->13678 13665 6b9a9f4a 13694 6b9c50ff 13665->13694 13668 6b9a3b9b _ValidateLocalCookies 5 API calls 13669 6b9a9f76 13668->13669 13670 6b9ac26e 13669->13670 13831 6b9a84f8 LeaveCriticalSection 13670->13831 13672 6b9ac257 13672->13651 13698 6b9c50c1 13673->13698 13675 6b9c5027 13676 6b895940 ___std_exception_copy 2 API calls 13675->13676 13677 6b9c5080 ___std_exception_copy 13675->13677 13676->13677 13677->13663 13721 6b9a928d 13678->13721 13681 6b9a9351 13682 6b9b6dcc ___std_exception_copy 24 API calls 13681->13682 13684 6b9a936e 13682->13684 13683 6b9a9379 13683->13684 13687 6b9a8a80 45 API calls 13683->13687 13688 6b9a95db 26 API calls 13683->13688 13689 6b9a91ec 70 API calls 13683->13689 13690 6b9a956d 13683->13690 13727 6b9a9653 13683->13727 13767 6b9a97ac 13683->13767 13684->13665 13687->13683 13688->13683 13689->13683 13691 6b9b6dcc ___std_exception_copy 24 API calls 13690->13691 13692 6b9a9587 13691->13692 13693 6b9b6dcc ___std_exception_copy 24 API calls 13692->13693 13693->13684 13695 6b9c510a 13694->13695 13696 6b9a9f64 13694->13696 13695->13696 13814 6b9bd478 13695->13814 13696->13668 13699 6b9c50cd 13698->13699 13700 6b9c50f7 13699->13700 13705 6b9b5a51 13699->13705 13700->13675 13702 6b9c50e8 13712 6b9ca3c2 13702->13712 13704 6b9c50ee 13704->13675 13706 6b9b5a5d 13705->13706 13707 6b9b5a72 13705->13707 13708 6b9b53f8 ___std_exception_copy 11 API calls 13706->13708 13707->13702 13709 6b9b5a62 13708->13709 13710 6b9b6c10 ___std_exception_copy 24 API calls 13709->13710 13711 6b9b5a6d 13710->13711 13711->13702 13713 6b9ca3dc 13712->13713 13714 6b9ca3cf 13712->13714 13716 6b9ca3e8 13713->13716 13717 6b9b53f8 ___std_exception_copy 11 API calls 13713->13717 13715 6b9b53f8 ___std_exception_copy 11 API calls 13714->13715 13718 6b9ca3d4 13715->13718 13716->13704 13719 6b9ca409 13717->13719 13718->13704 13720 6b9b6c10 ___std_exception_copy 24 API calls 13719->13720 13720->13718 13722 6b9a92ba 13721->13722 13723 6b9a9298 13721->13723 13802 6b9a88f9 13722->13802 13724 6b9b6dcc ___std_exception_copy 24 API calls 13723->13724 13726 6b9a92b3 13724->13726 13726->13681 13726->13683 13726->13684 13728 6b9a965a 13727->13728 13729 6b9a9671 13727->13729 13730 6b9a983c 13728->13730 13731 6b9a97d0 13728->13731 13746 6b9a96b0 13728->13746 13732 6b9b6dcc ___std_exception_copy 24 API calls 13729->13732 13729->13746 13733 6b9a987b 13730->13733 13734 6b9a9841 13730->13734 13735 6b9a9864 13731->13735 13740 6b9a97d6 13731->13740 13736 6b9a96a5 13732->13736 13737 6b9a989a 13733->13737 13744 6b9a9880 13733->13744 13738 6b9a9872 13734->13738 13739 6b9a9843 13734->13739 13742 6b9ac092 24 API calls 13735->13742 13736->13683 13747 6b9a9e06 24 API calls 13737->13747 13743 6b9a9de9 24 API calls 13738->13743 13741 6b9a97ea 13739->13741 13751 6b9a9852 13739->13751 13745 6b9a97db 13740->13745 13749 6b9a9831 13740->13749 13748 6b9a9c58 47 API calls 13741->13748 13763 6b9a98a5 13741->13763 13760 6b9a9803 13742->13760 13743->13760 13744->13735 13744->13749 13744->13760 13745->13741 13752 6b9a9816 13745->13752 13745->13760 13746->13683 13747->13760 13748->13760 13750 6b9abd78 24 API calls 13749->13750 13749->13763 13750->13760 13751->13735 13753 6b9a9856 13751->13753 13754 6b9a9aee 46 API calls 13752->13754 13752->13763 13757 6b9a9e1c 24 API calls 13753->13757 13753->13763 13754->13760 13755 6b9a3b9b _ValidateLocalCookies 5 API calls 13756 6b9a9aec 13755->13756 13756->13683 13757->13760 13758 6b9a99a6 13761 6b9a92c5 70 API calls 13758->13761 13764 6b9a9a19 13758->13764 13760->13758 13760->13763 13810 6b9a92c5 13760->13810 13761->13758 13762 6b9c5dbb 46 API calls 13762->13764 13763->13755 13764->13762 13766 6b9a9a7e 13764->13766 13765 6b9a92c5 70 API calls 13765->13766 13766->13763 13766->13765 13768 6b9a983c 13767->13768 13769 6b9a97d0 13767->13769 13770 6b9a987b 13768->13770 13771 6b9a9841 13768->13771 13772 6b9a97d6 13769->13772 13773 6b9a9864 13769->13773 13774 6b9a989a 13770->13774 13775 6b9a9880 13770->13775 13776 6b9a9872 13771->13776 13777 6b9a9843 13771->13777 13783 6b9a9831 13772->13783 13784 6b9a97db 13772->13784 13778 6b9ac092 24 API calls 13773->13778 13781 6b9a9e06 24 API calls 13774->13781 13775->13773 13775->13783 13794 6b9a9803 13775->13794 13779 6b9a9de9 24 API calls 13776->13779 13780 6b9a97ea 13777->13780 13788 6b9a9852 13777->13788 13778->13794 13779->13794 13782 6b9a9c58 47 API calls 13780->13782 13785 6b9a98a5 13780->13785 13781->13794 13782->13794 13783->13785 13787 6b9abd78 24 API calls 13783->13787 13784->13780 13786 6b9a9816 13784->13786 13784->13794 13791 6b9a3b9b _ValidateLocalCookies 5 API calls 13785->13791 13786->13785 13790 6b9a9aee 46 API calls 13786->13790 13787->13794 13788->13773 13789 6b9a9856 13788->13789 13789->13785 13793 6b9a9e1c 24 API calls 13789->13793 13790->13794 13792 6b9a9aec 13791->13792 13792->13683 13793->13794 13794->13785 13795 6b9a99a6 13794->13795 13796 6b9a92c5 70 API calls 13794->13796 13798 6b9a92c5 70 API calls 13795->13798 13800 6b9a9a19 13795->13800 13796->13794 13797 6b9a9a7e 13797->13785 13801 6b9a92c5 70 API calls 13797->13801 13798->13795 13799 6b9c5dbb 46 API calls 13799->13800 13800->13797 13800->13799 13801->13797 13803 6b9a8977 13802->13803 13804 6b9a890d 13802->13804 13803->13726 13805 6b9b5a51 26 API calls 13804->13805 13806 6b9a8914 13805->13806 13806->13803 13807 6b9b53f8 ___std_exception_copy 11 API calls 13806->13807 13808 6b9a896c 13807->13808 13809 6b9b6c10 ___std_exception_copy 24 API calls 13808->13809 13809->13803 13811 6b9a92d7 13810->13811 13812 6b9a92df 13811->13812 13813 6b9bd71a 70 API calls 13811->13813 13812->13760 13813->13812 13815 6b9bd4b8 13814->13815 13816 6b9bd491 13814->13816 13815->13696 13816->13815 13817 6b9b5a51 26 API calls 13816->13817 13818 6b9bd4ad 13817->13818 13820 6b9bbf34 13818->13820 13822 6b9bbf40 ___std_exception_copy 13820->13822 13821 6b9bbf81 13824 6b9b6dcc ___std_exception_copy 24 API calls 13821->13824 13822->13821 13823 6b9bbfc7 13822->13823 13830 6b9bbf48 13822->13830 13825 6b9b65e8 EnterCriticalSection 13823->13825 13824->13830 13826 6b9bbfcd 13825->13826 13827 6b9bbfeb 13826->13827 13828 6b9bbd18 66 API calls 13826->13828 13829 6b9bc03d LeaveCriticalSection 13827->13829 13828->13827 13829->13830 13830->13815 13831->13672 13918 6b963810 13832->13918 13835 6b959880 13836 6b963810 112 API calls 13835->13836 13837 6b88914a 13836->13837 13838 6b981bd0 13837->13838 13839 6b9b53f8 ___std_exception_copy 11 API calls 13838->13839 13840 6b981bdb 13839->13840 13841 6b9b53f8 ___std_exception_copy 11 API calls 13840->13841 13842 6b981be4 GetLastError SetLastError 13841->13842 13842->12935 13846 6b8891ae _strlen 13843->13846 13849 6b8894b6 13843->13849 13844 6b9d98a0 78 API calls 13845 6b8894da 13844->13845 13845->12937 13847 6b9d6770 101 API calls 13846->13847 13846->13849 13848 6b88920d 13847->13848 13850 6b88954f _strlen 13848->13850 13851 6b88924e 13848->13851 14291 6b8ec240 13848->14291 13849->13844 13854 6b9d6770 101 API calls 13850->13854 13852 6b88927b 13851->13852 14297 6b966380 GetCurrentThreadId 13851->14297 13856 6b88928b GetLocalTime 13852->13856 13857 6b889373 13852->13857 13859 6b88956a 13854->13859 13861 6b8892b4 13856->13861 13862 6b88957d 13856->13862 13864 6b88952e GetTickCount 13857->13864 13865 6b889509 13857->13865 13881 6b889391 _strlen 13857->13881 13866 6b9d6770 101 API calls 13859->13866 14298 6b77d8d0 13861->14298 14310 6b9639b0 13862->14310 13868 6b77e1a0 101 API calls 13864->13868 13871 6b9d6770 101 API calls 13865->13871 13866->13862 13873 6b88953f 13868->13873 13876 6b889519 13871->13876 13879 6b9d6770 101 API calls 13873->13879 13882 6b77db10 101 API calls 13876->13882 13879->13850 13880 6b77d8d0 101 API calls 13883 6b8892e8 13880->13883 13881->13845 13885 6b9d6770 101 API calls 13881->13885 13886 6b889529 13882->13886 13884 6b9d6770 101 API calls 13883->13884 13887 6b8892f9 13884->13887 13888 6b8893b5 13885->13888 13886->13864 13889 6b77d8d0 101 API calls 13887->13889 13890 6b9d6770 101 API calls 13888->13890 13891 6b889311 13889->13891 13892 6b8893c7 13890->13892 13894 6b77d8d0 101 API calls 13891->13894 13895 6b9d6770 101 API calls 13892->13895 13893 6b88959c 13896 6b889326 13894->13896 13897 6b8893d4 13895->13897 13898 6b77d8d0 101 API calls 13896->13898 13899 6b9d6770 101 API calls 13897->13899 13900 6b88933b 13898->13900 13901 6b8893e6 13899->13901 13902 6b9d6770 101 API calls 13900->13902 13903 6b77db10 101 API calls 13901->13903 13904 6b889349 13902->13904 13905 6b8893f3 13903->13905 13906 6b77d8d0 101 API calls 13904->13906 13907 6b9d6770 101 API calls 13905->13907 13908 6b889365 13906->13908 13911 6b889400 13907->13911 13909 6b9d6770 101 API calls 13908->13909 13909->13857 13910 6b889439 13910->13849 13914 6b88944a 13910->13914 13911->13849 13911->13910 13912 6b889434 13911->13912 13913 6b9d6720 78 API calls 13911->13913 13912->13910 13915 6b9a3359 3 API calls 13912->13915 13913->13911 13916 6b9a3b9b _ValidateLocalCookies 5 API calls 13914->13916 13915->13910 13917 6b889489 13916->13917 13917->12937 13919 6b963880 13918->13919 13928 6b889121 13918->13928 13920 6b9a33f7 __Init_thread_header 6 API calls 13919->13920 13921 6b96388a 13920->13921 13922 6b9a33f7 __Init_thread_header 6 API calls 13921->13922 13921->13928 13933 6b9638b3 13921->13933 13925 6b9638f1 13922->13925 13925->13933 13937 6b863d80 13925->13937 13926 6b9a346d __Init_thread_footer 5 API calls 13926->13928 13928->13835 13929 6b963913 13930 6b9a3661 2 API calls 13929->13930 13931 6b963927 13930->13931 13932 6b9a346d __Init_thread_footer 5 API calls 13931->13932 13932->13933 13934 6b9a3661 13933->13934 14074 6b9a3676 13934->14074 14109 6b864a90 13937->14109 13939 6b863dd1 14118 6b9d65f0 13939->14118 13941 6b863dee 13942 6b863e1e 13941->13942 13943 6b863e00 13941->13943 13944 6b863e6a 13942->13944 14138 6b859220 13942->14138 13945 6b9d98a0 78 API calls 13943->13945 14154 6b864cc0 13944->14154 13953 6b863e16 13945->13953 13948 6b863e81 13949 6b863ec3 13948->13949 13950 6b859220 4 API calls 13948->13950 13951 6b864cc0 78 API calls 13949->13951 13950->13949 13952 6b863eda 13951->13952 14168 6b9a8705 13952->14168 13953->13929 13956 6b863f2f 13958 6b864cc0 78 API calls 13956->13958 13957 6b859220 4 API calls 13957->13956 13959 6b863f46 13958->13959 13960 6b863f88 13959->13960 13962 6b859220 4 API calls 13959->13962 13961 6b864cc0 78 API calls 13960->13961 13963 6b863f9f 13961->13963 13962->13960 13964 6b863fe1 13963->13964 13965 6b859220 4 API calls 13963->13965 13966 6b864cc0 78 API calls 13964->13966 13965->13964 13967 6b863ff8 13966->13967 14173 6b963500 13967->14173 13970 6b864055 13971 6b864cc0 78 API calls 13970->13971 13973 6b864073 13971->13973 13972 6b859220 4 API calls 13972->13970 13974 6b8640b5 13973->13974 13975 6b859220 4 API calls 13973->13975 13976 6b864cc0 78 API calls 13974->13976 13975->13974 13977 6b8640cc 13976->13977 13978 6b86410e 13977->13978 13979 6b859220 4 API calls 13977->13979 13980 6b864cc0 78 API calls 13978->13980 13979->13978 13981 6b864125 13980->13981 13982 6b864167 13981->13982 13984 6b859220 4 API calls 13981->13984 13983 6b864cc0 78 API calls 13982->13983 13985 6b86417e 13983->13985 13984->13982 13986 6b8641c0 13985->13986 13987 6b859220 4 API calls 13985->13987 13988 6b864cc0 78 API calls 13986->13988 13987->13986 13989 6b8641d7 13988->13989 13990 6b86422f 13989->13990 13991 6b859220 4 API calls 13989->13991 13992 6b864cc0 78 API calls 13990->13992 13991->13990 13993 6b864246 13992->13993 13994 6b86429f 13993->13994 13995 6b859220 4 API calls 13993->13995 13996 6b864cc0 78 API calls 13994->13996 13995->13994 13997 6b8642b6 13996->13997 13998 6b8642f8 13997->13998 13999 6b859220 4 API calls 13997->13999 14000 6b864cc0 78 API calls 13998->14000 13999->13998 14001 6b86430f 14000->14001 14002 6b864351 14001->14002 14004 6b859220 4 API calls 14001->14004 14003 6b864cc0 78 API calls 14002->14003 14005 6b864368 14003->14005 14004->14002 14006 6b8643aa 14005->14006 14007 6b859220 4 API calls 14005->14007 14008 6b864cc0 78 API calls 14006->14008 14007->14006 14009 6b8643c1 14008->14009 14010 6b864403 14009->14010 14011 6b859220 4 API calls 14009->14011 14012 6b864cc0 78 API calls 14010->14012 14011->14010 14013 6b86441a 14012->14013 14014 6b86445c 14013->14014 14016 6b859220 4 API calls 14013->14016 14015 6b864cc0 78 API calls 14014->14015 14017 6b864473 14015->14017 14016->14014 14018 6b8644b5 14017->14018 14019 6b859220 4 API calls 14017->14019 14020 6b864cc0 78 API calls 14018->14020 14019->14018 14021 6b8644cc 14020->14021 14022 6b86450e 14021->14022 14023 6b859220 4 API calls 14021->14023 14024 6b864cc0 78 API calls 14022->14024 14023->14022 14025 6b864525 14024->14025 14026 6b864567 14025->14026 14027 6b859220 4 API calls 14025->14027 14028 6b864cc0 78 API calls 14026->14028 14027->14026 14029 6b86457e 14028->14029 14030 6b8645c0 14029->14030 14031 6b859220 4 API calls 14029->14031 14032 6b864cc0 78 API calls 14030->14032 14031->14030 14033 6b8645d7 14032->14033 14034 6b864619 14033->14034 14036 6b859220 4 API calls 14033->14036 14035 6b864cc0 78 API calls 14034->14035 14037 6b864630 14035->14037 14036->14034 14038 6b864672 14037->14038 14039 6b859220 4 API calls 14037->14039 14040 6b864cc0 78 API calls 14038->14040 14039->14038 14041 6b864689 14040->14041 14042 6b8646cb 14041->14042 14043 6b859220 4 API calls 14041->14043 14044 6b864cc0 78 API calls 14042->14044 14043->14042 14045 6b8646e2 14044->14045 14046 6b86472e 14045->14046 14048 6b859220 4 API calls 14045->14048 14047 6b864cc0 78 API calls 14046->14047 14049 6b864745 14047->14049 14048->14046 14050 6b864791 14049->14050 14051 6b859220 4 API calls 14049->14051 14052 6b864cc0 78 API calls 14050->14052 14051->14050 14053 6b8647a8 14052->14053 14054 6b963500 75 API calls 14053->14054 14055 6b8647cd 14054->14055 14056 6b86480f 14055->14056 14058 6b859220 4 API calls 14055->14058 14057 6b864cc0 78 API calls 14056->14057 14059 6b86482d 14057->14059 14058->14056 14060 6b963500 75 API calls 14059->14060 14061 6b864852 14060->14061 14062 6b864894 14061->14062 14063 6b859220 4 API calls 14061->14063 14064 6b864cc0 78 API calls 14062->14064 14063->14062 14065 6b8648b2 14064->14065 14066 6b8648f4 14065->14066 14067 6b859220 4 API calls 14065->14067 14068 6b864cc0 78 API calls 14066->14068 14067->14066 14069 6b86490b 14068->14069 14070 6b859220 4 API calls 14069->14070 14072 6b86494d 14069->14072 14070->14072 14071 6b864cc0 78 API calls 14073 6b864964 14071->14073 14072->14071 14073->13929 14075 6b9a368c 14074->14075 14076 6b9a3685 14074->14076 14083 6b9b4bac 14075->14083 14080 6b9b4c1d 14076->14080 14079 6b9638d2 14079->13926 14081 6b9b4bac 2 API calls 14080->14081 14082 6b9b4c2f 14081->14082 14082->14079 14086 6b9b4e0f 14083->14086 14087 6b9b4e1b ___std_exception_copy 14086->14087 14094 6b9c44f1 EnterCriticalSection 14087->14094 14089 6b9b4e29 14095 6b9b4c33 14089->14095 14091 6b9b4e36 14101 6b9b4e5e 14091->14101 14094->14089 14096 6b9b4c4e 14095->14096 14100 6b9b4cb7 ___std_exception_copy 14095->14100 14099 6b9b4c97 ___std_exception_copy 14096->14099 14096->14100 14104 6b895ab0 14096->14104 14098 6b895ab0 2 API calls 14098->14100 14099->14098 14099->14100 14100->14091 14108 6b9c4508 LeaveCriticalSection 14101->14108 14103 6b9b4bdd 14103->14079 14105 6b895ac4 14104->14105 14106 6ba04130 ___std_exception_copy EnterCriticalSection LeaveCriticalSection 14105->14106 14107 6b895b25 ___std_exception_copy 14105->14107 14106->14105 14107->14099 14108->14103 14110 6b864ad4 14109->14110 14111 6b864b0b 14109->14111 14112 6b864adc 14110->14112 14183 6b9d6960 14110->14183 14111->13939 14114 6b9a3359 3 API calls 14112->14114 14115 6b864ae1 14112->14115 14114->14115 14115->14111 14116 6b9d98a0 78 API calls 14115->14116 14117 6b864b3c 14116->14117 14117->13939 14120 6b9d65fd _strlen 14118->14120 14125 6b9d6622 14118->14125 14119 6b9d98a0 78 API calls 14121 6b9d6679 14119->14121 14120->14121 14123 6b9a3359 3 API calls 14120->14123 14120->14125 14122 6b9d6720 78 API calls 14121->14122 14130 6b9d6680 14122->14130 14123->14125 14124 6b9d6648 14124->13941 14125->14119 14125->14124 14126 6b9d98a0 78 API calls 14127 6b9d6712 14126->14127 14129 6b9d6720 78 API calls 14127->14129 14128 6b9d66b7 14128->14126 14134 6b9d66dd 14128->14134 14131 6b9d6719 14129->14131 14130->14127 14130->14128 14130->14131 14132 6b9a3359 3 API calls 14130->14132 14133 6b9d6740 78 API calls 14131->14133 14132->14128 14135 6b9d671e 14133->14135 14134->13941 14136 6b9d6730 78 API calls 14135->14136 14137 6b9d672d 14136->14137 14195 6b964ca0 AcquireSRWLockExclusive 14138->14195 14140 6b859267 14142 6b859271 14140->14142 14143 6b8592fa 14140->14143 14196 6b964cb0 ReleaseSRWLockExclusive 14142->14196 14200 6b964cb0 ReleaseSRWLockExclusive 14143->14200 14145 6b859259 14145->14140 14201 6b867bf0 SleepConditionVariableSRW 14145->14201 14147 6b859296 14197 6b964ca0 AcquireSRWLockExclusive 14147->14197 14148 6b8592e6 14148->13944 14150 6b8592c3 14198 6b964cb0 ReleaseSRWLockExclusive 14150->14198 14152 6b8592d9 14199 6b867be0 WakeAllConditionVariable 14152->14199 14155 6b864d0a 14154->14155 14158 6b864d3c 14154->14158 14156 6b864d29 14155->14156 14160 6b864d13 14155->14160 14202 6b8654b0 14156->14202 14159 6b864ddb 14158->14159 14165 6b864d6a 14158->14165 14161 6b9d98a0 78 API calls 14159->14161 14160->14158 14162 6b864d24 14160->14162 14167 6b864dd6 14161->14167 14166 6b9d98a0 78 API calls 14162->14166 14163 6b864daa 14163->13948 14164 6b9d98a0 78 API calls 14164->14167 14165->14163 14165->14164 14166->14167 14167->13948 14169 6b9c355a 36 API calls 14168->14169 14170 6b9a8710 14169->14170 14215 6b9c3b6e 14170->14215 14174 6b963576 14173->14174 14182 6b86401d 14173->14182 14175 6b9a33f7 __Init_thread_header 6 API calls 14174->14175 14176 6b963580 14175->14176 14176->14182 14219 6b867790 14176->14219 14178 6b9635bc 14179 6b9a3661 2 API calls 14178->14179 14180 6b9635cc 14179->14180 14181 6b9a346d __Init_thread_footer 5 API calls 14180->14181 14181->14182 14182->13970 14182->13972 14184 6b9d6730 78 API calls 14183->14184 14185 6b9d696d 14184->14185 14186 6b9d69d5 14185->14186 14187 6b9d6983 14185->14187 14188 6b9d6720 78 API calls 14186->14188 14189 6b9d69dc 14187->14189 14190 6b9d6990 14187->14190 14191 6b9d6999 14187->14191 14188->14189 14193 6b9d6740 78 API calls 14189->14193 14192 6b9a3359 3 API calls 14190->14192 14191->14112 14192->14191 14194 6b9d69e1 14193->14194 14195->14145 14196->14147 14197->14150 14198->14152 14199->14148 14200->14148 14201->14145 14203 6b8654f4 14202->14203 14205 6b8655c4 14202->14205 14204 6b9d6960 78 API calls 14203->14204 14206 6b86550a 14203->14206 14204->14206 14208 6b9d98a0 78 API calls 14205->14208 14214 6b86557a 14205->14214 14207 6b865614 14206->14207 14209 6b9a3359 3 API calls 14206->14209 14211 6b86554c 14206->14211 14210 6b9d6740 78 API calls 14207->14210 14208->14207 14209->14211 14212 6b86565e 14210->14212 14213 6b9d98a0 78 API calls 14211->14213 14211->14214 14212->14158 14213->14207 14214->14158 14216 6b863efc 14215->14216 14217 6b9c3b81 14215->14217 14216->13956 14216->13957 14217->14216 14218 6b9c7256 36 API calls 14217->14218 14218->14216 14222 6b9b2ff0 14219->14222 14221 6b8677a6 14221->14178 14223 6b9b3011 14222->14223 14229 6b9b3041 14222->14229 14223->14229 14230 6b9c611f 14223->14230 14225 6b9a3b9b _ValidateLocalCookies 5 API calls 14227 6b9b3052 14225->14227 14226 6b9b302d 14226->14229 14233 6b9b3199 14226->14233 14227->14221 14229->14225 14255 6b9c6149 14230->14255 14234 6b9b31a9 14233->14234 14235 6b9b329c 14233->14235 14234->14235 14236 6b8959e0 ___std_exception_copy 2 API calls 14234->14236 14235->14229 14237 6b9b31c0 14236->14237 14238 6b9b31cb 14237->14238 14239 6b9b31dd 14237->14239 14241 6b9b53f8 ___std_exception_copy 11 API calls 14238->14241 14240 6b8959e0 ___std_exception_copy 2 API calls 14239->14240 14242 6b9b31e9 14240->14242 14253 6b9b31d0 ___std_exception_copy 14241->14253 14243 6b9b3203 14242->14243 14244 6b9b31f1 14242->14244 14246 6b8959e0 ___std_exception_copy 2 API calls 14243->14246 14245 6b9b53f8 ___std_exception_copy 11 API calls 14244->14245 14245->14253 14247 6b9b320e 14246->14247 14248 6b9b3223 14247->14248 14249 6b9b3216 14247->14249 14257 6b9b3daf 14248->14257 14250 6b9b53f8 ___std_exception_copy 11 API calls 14249->14250 14250->14253 14252 6b9b323a 14252->14253 14280 6b9c4798 14252->14280 14253->14229 14256 6b9c613b MultiByteToWideChar 14255->14256 14256->14226 14258 6b9b3dda 14257->14258 14263 6b9b3dfb 14257->14263 14260 6b9b3854 63 API calls 14258->14260 14259 6b9b3c14 26 API calls 14262 6b9b3de6 14259->14262 14260->14262 14261 6b9b3f8f 14264 6b9b32a0 63 API calls 14261->14264 14265 6b9a3b9b _ValidateLocalCookies 5 API calls 14262->14265 14263->14261 14270 6b9b3e3d ___vcrt_FlsSetValue 14263->14270 14272 6b9b3f80 14263->14272 14267 6b9b3fb1 14264->14267 14266 6b9b408b 14265->14266 14266->14252 14267->14262 14268 6b9b3854 63 API calls 14267->14268 14267->14272 14268->14267 14269 6b9c15bc 26 API calls 14269->14270 14270->14262 14270->14269 14271 6b9b4092 14270->14271 14270->14272 14273 6b9b408d 14270->14273 14275 6b9b3854 63 API calls 14270->14275 14274 6b9b6c20 ___std_exception_copy 11 API calls 14271->14274 14272->14259 14272->14262 14276 6b9a4112 IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 14273->14276 14277 6b9b409e 14274->14277 14275->14270 14276->14271 14278 6b9b4778 EnterCriticalSection LeaveCriticalSection 14277->14278 14279 6b9b40c5 14278->14279 14279->14252 14281 6b9c499d 43 API calls 14280->14281 14282 6b9c47b8 14281->14282 14283 6b9c48bd 14282->14283 14284 6b9c47f5 IsValidCodePage 14282->14284 14290 6b9c4810 ___std_exception_copy 14282->14290 14285 6b9a3b9b _ValidateLocalCookies 5 API calls 14283->14285 14284->14283 14286 6b9c4807 14284->14286 14287 6b9c499b 14285->14287 14288 6b9c4830 GetCPInfo 14286->14288 14286->14290 14287->14253 14288->14283 14288->14290 14289 6b9c4d27 43 API calls 14289->14283 14290->14289 14315 6b871630 GetCurrentProcessId 14291->14315 14299 6b77da4c 14298->14299 14300 6b77d91a 14298->14300 14328 6b959b40 14299->14328 14304 6b77d933 14300->14304 14316 6b77d550 14300->14316 14305 6b9639b0 82 API calls 14304->14305 14306 6b77d965 14305->14306 14307 6b9639b0 82 API calls 14306->14307 14308 6b77d9a9 14306->14308 14307->14308 14308->14299 14324 6b8597a0 14308->14324 14311 6b9639c7 14310->14311 14312 6b859220 4 API calls 14311->14312 14313 6b9639e4 14311->14313 14418 6b9d9800 14311->14418 14312->14311 14313->13893 14318 6b77d58c 14316->14318 14319 6b77d5df 14316->14319 14317 6b959b40 97 API calls 14317->14319 14320 6b77d550 97 API calls 14318->14320 14321 6b77d5af 14318->14321 14323 6b77d5d7 14318->14323 14319->14304 14320->14321 14322 6b8597a0 89 API calls 14321->14322 14321->14323 14322->14323 14323->14317 14325 6b8597b1 14324->14325 14326 6b8597c2 14325->14326 14334 6b9dd700 14325->14334 14326->14299 14329 6b77da54 14328->14329 14330 6b959b57 14328->14330 14329->13880 14330->14329 14395 6b9dd2f0 14330->14395 14333 6b8597a0 89 API calls 14333->14329 14346 6b9dd660 14334->14346 14339 6b9a4dfc RaiseException 14340 6b9dd741 14339->14340 14341 6b9dd75a 14340->14341 14342 6b9a4dfc RaiseException 14340->14342 14341->14325 14343 6b9dd767 14342->14343 14357 6b9a53d4 14343->14357 14345 6b9dd795 14345->14325 14347 6b9dd687 14346->14347 14348 6b9dd680 14346->14348 14349 6b9a33f7 __Init_thread_header 6 API calls 14347->14349 14354 6b9dd6c0 14348->14354 14350 6b9dd691 14349->14350 14350->14348 14351 6b9a3661 2 API calls 14350->14351 14352 6b9dd6a7 14351->14352 14353 6b9a346d __Init_thread_footer 5 API calls 14352->14353 14353->14348 14363 6b9eb7b0 14354->14363 14356 6b9dd6d6 14356->14339 14358 6b9a540e ___std_exception_copy 14357->14358 14359 6b9a53e1 14357->14359 14358->14345 14359->14358 14360 6b895940 ___std_exception_copy 2 API calls 14359->14360 14361 6b9a53fe 14360->14361 14361->14358 14386 6b9c257c 14361->14386 14364 6b9d65f0 78 API calls 14363->14364 14365 6b9eb803 14364->14365 14370 6b9eb640 14365->14370 14367 6b9eb812 14376 6b9eae90 14367->14376 14369 6b9eb828 14369->14356 14371 6b9eb67e 14370->14371 14375 6b9eb6fd 14370->14375 14372 6b9eb6ac 14371->14372 14382 6b866290 14371->14382 14374 6b866290 78 API calls 14372->14374 14374->14375 14375->14367 14377 6b9eaead 14376->14377 14378 6b9a53d4 ___std_exception_copy 26 API calls 14377->14378 14379 6b9eaed7 14378->14379 14380 6b9a3b9b _ValidateLocalCookies 5 API calls 14379->14380 14381 6b9eaeea 14380->14381 14381->14369 14383 6b8662c8 14382->14383 14384 6b865fe0 78 API calls 14383->14384 14385 6b8662e7 14383->14385 14384->14385 14385->14372 14387 6b9c258a 14386->14387 14388 6b9c2598 14386->14388 14387->14388 14392 6b9c25b0 14387->14392 14389 6b9b53f8 ___std_exception_copy 11 API calls 14388->14389 14394 6b9c25a0 14389->14394 14390 6b9b6c10 ___std_exception_copy 24 API calls 14391 6b9c25aa 14390->14391 14391->14358 14392->14391 14393 6b9b53f8 ___std_exception_copy 11 API calls 14392->14393 14393->14394 14394->14390 14398 6b9a54b5 14395->14398 14401 6b9c1783 14398->14401 14400 6b959b6f 14400->14329 14400->14333 14402 6b9c178c 14401->14402 14403 6b9c178f GetLastError 14401->14403 14402->14400 14406 6b9d07dc 14403->14406 14411 6b9d08e7 14406->14411 14409 6b9d080e TlsGetValue 14410 6b9c17a4 SetLastError 14409->14410 14410->14400 14412 6b9d07f6 14411->14412 14415 6b9d0908 14411->14415 14412->14409 14412->14410 14413 6b9d0970 GetProcAddress 14413->14412 14414 6b9d089c ___vcrt_FlsSetValue LoadLibraryExW GetLastError LoadLibraryExW 14414->14415 14415->14412 14415->14413 14415->14414 14416 6b9d0961 14415->14416 14416->14413 14417 6b9d0969 FreeLibrary 14416->14417 14417->14413 14419 6b9d98a0 78 API calls 14418->14419 14420 6b9d980d 14419->14420 14423 6b9d7120 14420->14423 14422 6b9d9826 ___std_exception_destroy 14422->14311 14424 6b9d7156 ___std_exception_copy 14423->14424 14425 6b9d722a 14424->14425 14431 6b9a8874 48 API calls 14424->14431 14439 6b9d719e 14424->14439 14440 6b9d72c0 14425->14440 14426 6b9d71a7 14429 6b9a3b9b _ValidateLocalCookies 5 API calls 14426->14429 14427 6b9d7282 14435 6b9b811e 36 API calls 14427->14435 14430 6b9d71b1 14429->14430 14430->14422 14432 6b9d71f0 14431->14432 14432->14425 14433 6b9d726b 14432->14433 14437 6b9d72c0 48 API calls 14433->14437 14434 6b9d7241 _strlen 14446 6b9d70f0 14434->14446 14438 6b9d72b6 14435->14438 14437->14434 14439->14426 14439->14427 14442 6b9d72db 14440->14442 14445 6b9d7303 14440->14445 14441 6b9a3b9b _ValidateLocalCookies 5 API calls 14443 6b9d732a 14441->14443 14444 6b9a8874 48 API calls 14442->14444 14443->14434 14444->14445 14445->14441 14447 6b9d70fd 14446->14447 14448 6b9d7118 14446->14448 14449 6b9b53f8 ___std_exception_copy 11 API calls 14447->14449 14448->14439 14450 6b9d7105 14449->14450 14454 6b9bbce1 14450->14454 14452 6b9d7110 14453 6b9b53f8 ___std_exception_copy 11 API calls 14452->14453 14453->14448 14455 6b9bbcf4 ___std_exception_copy 14454->14455 14456 6b9bbf34 68 API calls 14455->14456 14457 6b9bbd06 ___std_exception_copy 14456->14457 14457->14452 14471 6b9f62f0 GetLastError 14458->14471 14473 6b9db09d _strlen 14472->14473 14474 6b9d6770 101 API calls 14473->14474 14475 6b9db0b0 14474->14475 14475->12820 14476->12833 14478 6b95b05e 14477->14478 14479 6b963470 112 API calls 14478->14479 14480 6b95b098 14479->14480 14481 6b959880 112 API calls 14480->14481 14482 6b95b0bc 14481->14482 14482->12838 14486 6b9599ff 14483->14486 14488 6b959a27 14483->14488 14484 6b9a3b9b _ValidateLocalCookies 5 API calls 14485 6b959a6d 14484->14485 14485->12843 14486->14488 14489 6b9d6890 14486->14489 14488->14484 14490 6b9d68f1 14489->14490 14491 6b9d68a3 14489->14491 14492 6b9d6720 78 API calls 14490->14492 14493 6b9a3359 3 API calls 14491->14493 14494 6b9d68a8 ___std_exception_copy 14491->14494 14495 6b9d68f8 14492->14495 14493->14494 14494->14488 14495->14488 14497 6b9d6770 101 API calls 14496->14497 14498 6b889e75 14497->14498 14508 6b889c20 FormatMessageW 14498->14508 14501 6b9d6770 101 API calls 14502 6b889ea2 14501->14502 14503 6b9a3b9b _ValidateLocalCookies 5 API calls 14502->14503 14504 6b889ed4 14503->14504 14504->12851 14506 6b9b53f8 ___std_exception_copy 11 API calls 14505->14506 14507 6b981c16 14506->14507 14507->12853 14509 6b889c55 GetLastError 14508->14509 14513 6b889c7f 14508->14513 14532 6b96f330 14509->14532 14511 6b889db4 14514 6b9d98a0 78 API calls 14511->14514 14512 6b889c68 14517 6b9a3b9b _ValidateLocalCookies 5 API calls 14512->14517 14513->14511 14561 6b87f9d0 14513->14561 14516 6b889dd1 14514->14516 14521 6b889e50 104 API calls 14516->14521 14519 6b889c75 14517->14519 14518 6b889cac LocalFree 14520 6b96f330 81 API calls 14518->14520 14519->14501 14523 6b889cce 14520->14523 14522 6b889df2 14521->14522 14524 6b981c00 12 API calls 14522->14524 14523->14511 14581 6b96fdc0 14523->14581 14529 6b889e0a 14524->14529 14526 6b889d00 14526->14511 14527 6b889d23 14526->14527 14596 6b96e0d0 14527->14596 14530 6b889d2e 14531 6b866290 78 API calls 14530->14531 14531->14512 14533 6b96f381 ___std_exception_copy 14532->14533 14534 6b981bd0 13 API calls 14533->14534 14535 6b96f3a3 14534->14535 14613 6b9a88b5 14535->14613 14537 6b96f3cb 14538 6b96f5a5 14537->14538 14539 6b96f3e7 14537->14539 14554 6b96f4a9 14537->14554 14542 6b9a8874 48 API calls 14538->14542 14543 6b96f482 14539->14543 14550 6b96f40d 14539->14550 14540 6b9a3359 3 API calls 14540->14554 14541 6b981c00 12 API calls 14544 6b96f466 14541->14544 14545 6b96f5c1 14542->14545 14617 6b865fe0 14543->14617 14547 6b9a3b9b _ValidateLocalCookies 5 API calls 14544->14547 14545->14512 14549 6b96f470 14547->14549 14548 6b96f58f 14551 6b9d98a0 78 API calls 14548->14551 14549->14512 14550->14548 14560 6b96f437 14550->14560 14551->14538 14552 6b9a88b5 48 API calls 14552->14554 14553 6b96f622 14557 6b9a8874 48 API calls 14553->14557 14554->14540 14554->14548 14554->14552 14554->14553 14556 6b96f556 14554->14556 14554->14560 14632 6b95afa0 14554->14632 14556->14548 14559 6b866290 78 API calls 14556->14559 14558 6b96f63e 14557->14558 14559->14550 14560->14541 14562 6b87f9e4 14561->14562 14563 6b87fa3f 14561->14563 14565 6b87f9ef 14562->14565 14566 6b87fa3a 14562->14566 14569 6b87f9f8 14562->14569 14564 6b9d6720 78 API calls 14563->14564 14571 6b87fa46 14564->14571 14568 6b9a3359 3 API calls 14565->14568 14567 6b9d6740 78 API calls 14566->14567 14567->14563 14568->14569 14569->14518 14570 6b9d98a0 78 API calls 14580 6b87faa3 ___std_exception_copy 14570->14580 14572 6b87fa8a 14571->14572 14576 6b87fb2e 14571->14576 14571->14580 14670 6b96f200 14572->14670 14574 6b87fa97 14574->14518 14575 6b87fab0 14575->14574 14683 6b8595b0 14575->14683 14578 6b95ad50 78 API calls 14576->14578 14576->14580 14577 6b95ad50 78 API calls 14577->14580 14578->14580 14580->14570 14580->14575 14580->14577 14582 6b96fde7 14581->14582 14592 6b96ffd0 ___std_exception_copy 14581->14592 14585 6b9a3359 3 API calls 14582->14585 14589 6b96ff7f 14582->14589 14593 6b96fe1f ___std_exception_copy 14582->14593 14583 6b9d6720 78 API calls 14583->14589 14584 6b9d6740 78 API calls 14584->14589 14585->14593 14586 6b9a3359 3 API calls 14586->14589 14587 6b9d98a0 78 API calls 14587->14589 14588 6b97012b 14590 6b9d98a0 78 API calls 14588->14590 14589->14583 14589->14584 14589->14586 14589->14587 14589->14588 14589->14592 14591 6b97013a 14590->14591 14592->14526 14593->14589 14593->14592 14594 6b97005e 14593->14594 14595 6b9d6720 78 API calls 14594->14595 14595->14592 14597 6b96e0f5 14596->14597 14598 6b96e7e1 14596->14598 14600 6b96e106 14597->14600 14601 6b96e7f0 14597->14601 14599 6b9d98a0 78 API calls 14598->14599 14599->14601 14603 6b96e120 14600->14603 14607 6b96e1df 14600->14607 14602 6b9d98a0 78 API calls 14601->14602 14611 6b96e225 ___std_exception_copy 14602->14611 14604 6b96e18c 14603->14604 14608 6b96e132 14603->14608 14603->14611 14606 6b9a3359 3 API calls 14604->14606 14605 6b9d6720 78 API calls 14605->14611 14606->14608 14609 6b9a3359 3 API calls 14607->14609 14607->14611 14608->14530 14609->14611 14610 6b9d98a0 78 API calls 14610->14611 14611->14605 14611->14608 14611->14610 14612 6b9a3359 RaiseException EnterCriticalSection LeaveCriticalSection 14611->14612 14612->14611 14614 6b9a88c9 ___std_exception_copy 14613->14614 14636 6b9a8f72 14614->14636 14616 6b9a88e7 ___std_exception_copy 14616->14537 14618 6b866024 14617->14618 14619 6b866189 14617->14619 14621 6b9a3359 3 API calls 14618->14621 14620 6b9d6720 78 API calls 14619->14620 14627 6b86614e 14620->14627 14622 6b86605f 14621->14622 14623 6b86607e 14622->14623 14625 6b866138 14622->14625 14628 6b866153 14623->14628 14630 6b8660af 14623->14630 14624 6b8660ec 14624->14560 14626 6b9d98a0 78 API calls 14625->14626 14626->14627 14629 6b9d98a0 78 API calls 14628->14629 14629->14627 14630->14624 14631 6b9d98a0 78 API calls 14630->14631 14631->14627 14633 6b95afad 14632->14633 14635 6b95afc8 14632->14635 14634 6b9d98a0 78 API calls 14633->14634 14633->14635 14634->14635 14635->14554 14637 6b9a8f85 14636->14637 14639 6b9a8fa8 14636->14639 14638 6b9b6dcc ___std_exception_copy 24 API calls 14637->14638 14643 6b9a8f9d 14638->14643 14641 6b9a8feb 14639->14641 14642 6b9a9015 14639->14642 14646 6b9a8fb7 14639->14646 14640 6b9b6dcc ___std_exception_copy 24 API calls 14640->14643 14647 6b9ab495 14641->14647 14645 6b9ab495 48 API calls 14642->14645 14643->14616 14645->14646 14646->14640 14646->14643 14648 6b9ab4c1 14647->14648 14649 6b9ab4e4 14647->14649 14650 6b9b6dcc ___std_exception_copy 24 API calls 14648->14650 14649->14648 14652 6b9ab4ec 14649->14652 14655 6b9ab4d9 14650->14655 14651 6b9a3b9b _ValidateLocalCookies 5 API calls 14653 6b9ab607 14651->14653 14656 6b9ac27a 14652->14656 14653->14646 14655->14651 14657 6b9a9f78 24 API calls 14656->14657 14665 6b9ac294 14657->14665 14658 6b9ac2bc 14658->14655 14659 6b9b6dcc ___std_exception_copy 24 API calls 14659->14658 14660 6b9ac29f 14660->14659 14661 6b9aa2e4 48 API calls 14661->14665 14662 6b9aa43d 48 API calls 14662->14665 14663 6b9a8a80 45 API calls 14663->14665 14664 6b9a95db 26 API calls 14664->14665 14665->14658 14665->14660 14665->14661 14665->14662 14665->14663 14665->14664 14666 6b9ac3a3 14665->14666 14667 6b9b6dcc ___std_exception_copy 24 API calls 14666->14667 14668 6b9ac3bd 14667->14668 14669 6b9b6dcc ___std_exception_copy 24 API calls 14668->14669 14669->14658 14671 6b96f216 14670->14671 14672 6b96f2dc 14670->14672 14673 6b96f2cd 14671->14673 14675 6b96f25a 14671->14675 14680 6b96f237 14671->14680 14672->14673 14674 6b96f2fa 14672->14674 14672->14675 14676 6b9d6720 78 API calls 14673->14676 14677 6b96f318 14674->14677 14674->14680 14675->14574 14676->14675 14678 6b9a3359 3 API calls 14677->14678 14678->14675 14679 6b96f251 14682 6b9a3359 3 API calls 14679->14682 14680->14679 14681 6b9d6740 78 API calls 14680->14681 14681->14679 14682->14675 14684 6b8595ee 14683->14684 14685 6b859637 14684->14685 14686 6b85965f 14684->14686 14691 6b8595fd 14684->14691 14687 6b859735 14685->14687 14688 6b859642 14685->14688 14689 6b859667 14686->14689 14690 6b859730 14686->14690 14693 6b9d6740 78 API calls 14687->14693 14694 6b9a3359 3 API calls 14688->14694 14695 6b9a3359 3 API calls 14689->14695 14692 6b9d6740 78 API calls 14690->14692 14696 6b9d98a0 78 API calls 14691->14696 14698 6b8596bd 14691->14698 14692->14687 14697 6b85972b 14693->14697 14694->14691 14695->14691 14696->14697 14697->14574 14698->14574 15003 6b9d65f0 15005 6b9d65fd _strlen 15003->15005 15010 6b9d6622 15003->15010 15004 6b9d98a0 78 API calls 15006 6b9d6679 15004->15006 15005->15006 15008 6b9a3359 3 API calls 15005->15008 15005->15010 15007 6b9d6720 78 API calls 15006->15007 15015 6b9d6680 15007->15015 15008->15010 15009 6b9d6648 15010->15004 15010->15009 15011 6b9d98a0 78 API calls 15012 6b9d6712 15011->15012 15014 6b9d6720 78 API calls 15012->15014 15013 6b9d66b7 15013->15011 15019 6b9d66dd 15013->15019 15016 6b9d6719 15014->15016 15015->15012 15015->15013 15015->15016 15017 6b9a3359 3 API calls 15015->15017 15018 6b9d6740 78 API calls 15016->15018 15017->15013 15020 6b9d671e 15018->15020 15021 6b9d6730 78 API calls 15020->15021 15022 6b9d672d 15021->15022 14699 6b86eef0 14700 6b86f037 14699->14700 14701 6b86ef17 GetCurrentProcess GetCurrentThread GetCurrentProcess DuplicateHandle 14699->14701 14770 6b8dc5a0 14700->14770 14702 6b86ef51 14701->14702 14704 6b86ef8f 14701->14704 14705 6b86ef5c GetLastError 14702->14705 14706 6b86ef79 14702->14706 14713 6b86efb1 14704->14713 14752 6b895420 14704->14752 14707 6b86ef6d 14705->14707 14725 6b8d94f0 14706->14725 14710 6b86ef72 SetLastError 14707->14710 14708 6b86f040 14775 6b8dc550 14708->14775 14710->14706 14716 6b86efec GetCurrentThread GetThreadPriority 14713->14716 14718 6b8d94f0 135 API calls 14713->14718 14716->14708 14720 6b86effd 14716->14720 14717 6b86f010 14721 6b9a3b9b _ValidateLocalCookies 5 API calls 14717->14721 14719 6b86efdb GetCurrentThreadId 14718->14719 14756 6b8d9720 TryAcquireSRWLockExclusive 14719->14756 14720->14717 14767 6b9656d0 14720->14767 14723 6b86f01d 14721->14723 14726 6b8d9504 14725->14726 14734 6b86ef7e GetCurrentThreadId 14725->14734 14780 6b88a640 14726->14780 14729 6b9a3359 3 API calls 14730 6b8d951c 14729->14730 14787 6b8d9400 14730->14787 14735 6b8d9550 TryAcquireSRWLockExclusive 14734->14735 14736 6b8d9584 14735->14736 14738 6b8d9570 14735->14738 14911 6b9664c0 AcquireSRWLockExclusive 14736->14911 14739 6b9a3359 3 API calls 14738->14739 14743 6b8d95ab 14738->14743 14739->14743 14740 6b9d65f0 78 API calls 14742 6b8d9614 14740->14742 14741 6b9d98a0 78 API calls 14745 6b8d966e 14741->14745 14744 6b8d98d0 78 API calls 14742->14744 14743->14740 14750 6b8d9662 14743->14750 14751 6b8d9632 14744->14751 14746 6b8d96bf ReleaseSRWLockExclusive 14745->14746 14747 6b9a3b9b _ValidateLocalCookies 5 API calls 14746->14747 14749 6b8d96d0 14747->14749 14748 6b9a3359 3 API calls 14748->14750 14749->14704 14750->14741 14750->14745 14751->14745 14751->14748 14753 6b895482 TryAcquireSRWLockExclusive 14752->14753 14755 6b8956ae 14753->14755 14757 6b8d9740 14756->14757 14759 6b8d9747 14756->14759 14912 6b9664c0 AcquireSRWLockExclusive 14757->14912 14761 6b8d97a2 14759->14761 14913 6b893fa0 14759->14913 14762 6b893fa0 126 API calls 14761->14762 14766 6b8d9842 14761->14766 14762->14766 14763 6b8d9881 ReleaseSRWLockExclusive 14764 6b9a3b9b _ValidateLocalCookies 5 API calls 14763->14764 14765 6b8d9892 14764->14765 14765->14716 14766->14763 14924 6b979dc0 14767->14924 14771 6b8dc5ac 14770->14771 14772 6b8dc5d0 14770->14772 14963 6b86eda0 14771->14963 14772->14708 14776 6b8dc55c 14775->14776 14777 6b8dc596 14776->14777 14778 6b86eda0 135 API calls 14776->14778 14779 6b8dc574 14778->14779 14779->14720 14781 6b88a668 14780->14781 14784 6b88a67d 14780->14784 14782 6b9a3b9b _ValidateLocalCookies 5 API calls 14781->14782 14783 6b88a673 14782->14783 14783->14729 14783->14734 14784->14781 14807 6b86e930 Sleep 14784->14807 14808 6b9ef6b0 14784->14808 14788 6b8d941a 14787->14788 14789 6b9a3359 3 API calls 14788->14789 14790 6b8d9457 14789->14790 14791 6b9d65f0 78 API calls 14790->14791 14792 6b8d9468 TryAcquireSRWLockExclusive 14791->14792 14793 6b8d9479 14792->14793 14794 6b8d94d5 14792->14794 14795 6b9d65f0 78 API calls 14793->14795 14854 6b9664c0 AcquireSRWLockExclusive 14794->14854 14797 6b8d9490 14795->14797 14826 6b8d98d0 14797->14826 14799 6b8d94ba ReleaseSRWLockExclusive 14800 6b9a3b9b _ValidateLocalCookies 5 API calls 14799->14800 14801 6b8d94cb 14800->14801 14803 6b88a710 14801->14803 14802 6b8d94ac 14802->14799 14804 6b88a71f 14803->14804 14805 6b88a72f 14803->14805 14804->14805 14865 6b894e50 14804->14865 14805->14734 14807->14784 14821 6b965d00 14808->14821 14811 6b9ef72a 14813 6b965d00 6 API calls 14811->14813 14812 6b9ef725 RaiseException 14812->14784 14820 6b9ef760 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 14813->14820 14815 6b9ef821 14816 6b9a3b9b _ValidateLocalCookies 5 API calls 14815->14816 14818 6b9ef82c 14816->14818 14817 6b9ef7b8 Sleep 14819 6b965d00 6 API calls 14817->14819 14818->14784 14819->14820 14820->14815 14820->14817 14822 6b965d28 QueryPerformanceCounter 14821->14822 14823 6b965d5b __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 14821->14823 14822->14823 14824 6b9a3b9b _ValidateLocalCookies 5 API calls 14823->14824 14825 6b965d8f 14824->14825 14825->14811 14825->14812 14827 6b8d9935 14826->14827 14833 6b8d98f0 14826->14833 14828 6b9a3359 3 API calls 14827->14828 14835 6b8d993e 14827->14835 14829 6b8d994d 14828->14829 14830 6b8d99c3 14829->14830 14829->14835 14832 6b9d98a0 78 API calls 14830->14832 14831 6b78f5b0 78 API calls 14831->14833 14834 6b8d99d2 14832->14834 14833->14827 14833->14831 14837 6b9a3359 3 API calls 14834->14837 14840 6b8d9a1e 14834->14840 14836 6b9a3b9b _ValidateLocalCookies 5 API calls 14835->14836 14838 6b8d99b7 14836->14838 14839 6b8d9a16 14837->14839 14838->14802 14839->14840 14841 6b9d98a0 78 API calls 14839->14841 14840->14802 14850 6b8d9a97 14841->14850 14842 6b8d9b09 14843 6b9a3359 3 API calls 14842->14843 14851 6b8d9b3e 14842->14851 14844 6b8d9b1d 14843->14844 14845 6b8d9b27 14844->14845 14846 6b8d9ba0 14844->14846 14845->14851 14855 6b8661c0 14845->14855 14847 6b9d98a0 78 API calls 14846->14847 14847->14851 14848 6b78f5b0 78 API calls 14848->14850 14850->14842 14850->14848 14852 6b9a3b9b _ValidateLocalCookies 5 API calls 14851->14852 14853 6b8d9b80 14852->14853 14853->14802 14854->14793 14856 6b8661f6 14855->14856 14863 6b86620a 14855->14863 14857 6b8661fe 14856->14857 14858 6b86626b 14856->14858 14860 6b9a3359 3 API calls 14857->14860 14859 6b9d6720 78 API calls 14858->14859 14862 6b866266 14859->14862 14860->14863 14861 6b866231 14861->14851 14863->14861 14864 6b9d98a0 78 API calls 14863->14864 14864->14862 14866 6b9a3359 3 API calls 14865->14866 14867 6b894e70 14866->14867 14868 6b894eb8 TryAcquireSRWLockExclusive 14867->14868 14869 6b894f04 14867->14869 14871 6b894f0b 14868->14871 14872 6b894ec3 14868->14872 14886 6b9f7830 14869->14886 14894 6b9664c0 AcquireSRWLockExclusive 14871->14894 14879 6b894f20 14872->14879 14876 6b894edc 14877 6b9a3b9b _ValidateLocalCookies 5 API calls 14876->14877 14878 6b894eee 14877->14878 14878->14805 14885 6b894f48 ___std_exception_copy 14879->14885 14880 6b894f94 14882 6b9a3b9b _ValidateLocalCookies 5 API calls 14880->14882 14881 6b895940 ___std_exception_copy 2 API calls 14881->14885 14884 6b894ed5 ReleaseSRWLockExclusive 14882->14884 14884->14876 14885->14880 14885->14881 14895 6b895060 14885->14895 14887 6b9f785a 14886->14887 14904 6b8942d0 14887->14904 14889 6b9f7869 14890 6b9d6770 101 API calls 14889->14890 14891 6b9f787e 14890->14891 14892 6b9a3b9b _ValidateLocalCookies 5 API calls 14891->14892 14893 6b9f7892 14892->14893 14893->14876 14894->14872 14896 6b895084 14895->14896 14899 6b8950b6 14895->14899 14896->14885 14897 6b9a3b9b _ValidateLocalCookies 5 API calls 14898 6b895260 14897->14898 14898->14885 14899->14896 14900 6b895940 ___std_exception_copy 2 API calls 14899->14900 14903 6b895256 ___std_exception_copy 14899->14903 14901 6b89529f 14900->14901 14902 6b895060 7 API calls 14901->14902 14902->14903 14903->14897 14905 6b9a3359 3 API calls 14904->14905 14908 6b8942e3 14905->14908 14906 6b8890f0 126 API calls 14907 6b894331 14906->14907 14909 6b9d6770 101 API calls 14907->14909 14908->14906 14910 6b894359 14909->14910 14910->14889 14911->14738 14912->14759 14914 6b9a3359 3 API calls 14913->14914 14915 6b893fb6 14914->14915 14916 6b8890f0 126 API calls 14915->14916 14917 6b893fd4 14916->14917 14918 6b9d6770 101 API calls 14917->14918 14919 6b893ffc _strlen 14918->14919 14920 6b9d6770 101 API calls 14919->14920 14921 6b894015 14920->14921 14922 6b9d6770 101 API calls 14921->14922 14923 6b894025 14922->14923 14923->14761 14925 6b979dcf GetModuleHandleW GetProcAddress 14924->14925 14928 6b9656de 14924->14928 14926 6b979dea 14925->14926 14929 6b8dbdf0 14926->14929 14928->14717 14930 6b8dbe14 14929->14930 14947 6b8dbe4d 14929->14947 14931 6b9a33f7 __Init_thread_header 6 API calls 14930->14931 14932 6b8dbe1e 14931->14932 14936 6b9a3359 3 API calls 14932->14936 14932->14947 14933 6b8dbe7c TryAcquireSRWLockExclusive 14934 6b8dbedb 14933->14934 14935 6b8dbe87 14933->14935 14958 6b9664c0 AcquireSRWLockExclusive 14934->14958 14938 6b8dbea0 ReleaseSRWLockExclusive 14935->14938 14940 6b8dbe9a 14935->14940 14944 6b9a3359 3 API calls 14935->14944 14939 6b8dbe31 14936->14939 14941 6b8dbeb6 14938->14941 14942 6b8dbef2 14938->14942 14946 6b9a346d __Init_thread_footer 5 API calls 14939->14946 14940->14938 14941->14928 14943 6b895420 TryAcquireSRWLockExclusive 14942->14943 14943->14941 14945 6b8dbec8 14944->14945 14949 6b8dbaf0 14945->14949 14946->14947 14947->14933 14947->14934 14959 6b90d860 14949->14959 14952 6b9a33f7 __Init_thread_header 6 API calls 14953 6b8dbb36 14952->14953 14954 6b8dbb65 14953->14954 14955 6b9a3359 3 API calls 14953->14955 14954->14940 14956 6b8dbb49 14955->14956 14957 6b9a346d __Init_thread_footer 5 API calls 14956->14957 14957->14954 14958->14935 14962 6b931900 RtlCaptureStackBackTrace 14959->14962 14961 6b8dbb09 14961->14952 14961->14954 14962->14961 14964 6b86edc5 GetCurrentThread 14963->14964 14965 6b86edbb 14963->14965 14966 6b86edd6 14964->14966 14967 6b86edde SetThreadPriority 14964->14967 14965->14964 14968 6b86ee95 14965->14968 14966->14967 14969 6b86ee77 SetThreadPriority 14966->14969 14972 6b86ee06 14967->14972 14975 6b86ee0e 14967->14975 14970 6b86ee1f GetCurrentThread SetThreadInformation 14968->14970 14969->14967 14973 6b9a3b9b _ValidateLocalCookies 5 API calls 14970->14973 14974 6b86eece SetThreadInformation 14972->14974 14972->14975 14976 6b86ee52 14973->14976 14974->14975 14975->14970 14980 6b9ef8f0 GetCurrentThread GetThreadPriority 14975->14980 14976->14708 14979 6b86eec0 SetThreadPriority 14979->14970 14981 6b86eeb8 14980->14981 14982 6b9ef909 14980->14982 14981->14970 14981->14979 14982->14981 14983 6b9f7830 126 API calls 14982->14983 14983->14981 14984 6b9c36ab GetLastError 14985 6b9c36c7 14984->14985 14986 6b9c36c1 14984->14986 14988 6b9c3e13 ___std_exception_copy 6 API calls 14985->14988 15002 6b9c36cb ___std_exception_copy 14985->15002 14987 6b9c3dd4 ___std_exception_copy 6 API calls 14986->14987 14987->14985 14989 6b9c36e3 14988->14989 14991 6b8959e0 ___std_exception_copy 2 API calls 14989->14991 14989->15002 14990 6b9c3750 SetLastError 14992 6b9c36f8 14991->14992 14993 6b9c3700 14992->14993 14994 6b9c3711 14992->14994 14996 6b9c3e13 ___std_exception_copy 6 API calls 14993->14996 14995 6b9c3e13 ___std_exception_copy 6 API calls 14994->14995 14997 6b9c371d 14995->14997 14996->15002 14998 6b9c3738 14997->14998 14999 6b9c3721 14997->14999 15001 6b9c389c ___std_exception_copy 2 API calls 14998->15001 15000 6b9c3e13 ___std_exception_copy 6 API calls 14999->15000 15000->15002 15001->15002 15002->14990

                                                                                                                                                                                                                                Executed Functions

                                                                                                                                                                                                                                Function 6B92E700 Relevance: 53.0, APIs: 17, Strings: 13, Instructions: 485pipeCOMMON
                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                control_flow_graph 0 6b92e700-6b92e736 call 6b9289c0 2 6b92e73b-6b92e740 0->2 3 6b92e746-6b92e74b 2->3 4 6b92eac8-6b92eaca 2->4 6 6b92e751-6b92e755 3->6 7 6b92ea5c-6b92ea5f 3->7 5 6b92ea31-6b92ea44 call 6b9a3b9b 4->5 9 6b92ec16-6b92ec22 call 6b975b80 6->9 10 6b92e75b-6b92e776 6->10 11 6b92ea61-6b92ea6f 7->11 12 6b92ea9c-6b92ea9f 7->12 9->4 29 6b92ec28-6b92ec7a call 6b8890f0 call 6b9d6770 call 6b77db10 call 6b9d6770 call 6b77db10 9->29 17 6b92eae0-6b92eaf4 call 6b9a33f7 10->17 18 6b92e77c-6b92e784 10->18 19 6b92ea75-6b92ea9a call 6b928a10 11->19 20 6b92eced-6b92ecf9 call 6b975b80 11->20 13 6b92eaa5-6b92eac5 call 6b928a10 12->13 14 6b92ed3d-6b92ed49 call 6b975b80 12->14 13->4 14->4 43 6b92ed4f-6b92ed88 call 6b8890f0 call 6b9d6770 call 6b77dd40 14->43 17->18 44 6b92eafa-6b92eb20 call 6b906be0 call 6b9a346d 17->44 27 6b92e786-6b92e79e 18->27 28 6b92e7ac-6b92e7c4 OpenProcess 18->28 19->5 20->4 45 6b92ecff-6b92ed3b call 6b8890f0 call 6b9d6770 call 6b77e1a0 20->45 27->28 69 6b92e7a0-6b92e7a6 27->69 32 6b92eb44-6b92eb51 ImpersonateNamedPipeClient 28->32 33 6b92e7ca-6b92e7de TryAcquireSRWLockExclusive 28->33 103 6b92ece1-6b92ece8 call 6b8895d0 29->103 41 6b92ebc3-6b92ebcf call 6b975b80 32->41 42 6b92eb53-6b92eb71 OpenProcess RevertToSelf 32->42 39 6b92e7e4-6b92e8d4 call 6b9a3359 CreateEventW * 3 call 6b92dfd0 33->39 40 6b92eb25-6b92eb30 call 6b9664c0 33->40 90 6b92e8da 39->90 91 6b92ea4e-6b92ea55 39->91 80 6b92eb35-6b92eb3f call 6b9d98a0 40->80 41->4 70 6b92ebd5-6b92ec11 call 6b9f62f0 call 6b9f6300 call 6b9d6770 call 6b889de0 41->70 51 6b92eb77-6b92eb80 42->51 52 6b92ed8d-6b92edbd call 6b975bf0 call 6b9f7800 call 6b894260 42->52 43->103 44->18 45->103 51->33 62 6b92eb86-6b92eb92 call 6b975b80 51->62 104 6b92edc2 52->104 62->4 92 6b92eb98-6b92ebbe call 6b8890f0 62->92 69->28 78 6b92ec7c-6b92ec88 call 6b975b80 69->78 70->4 78->4 107 6b92ec8e-6b92ecc9 call 6b8890f0 call 6b9d6770 call 6b77dd40 78->107 80->32 99 6b92e8dc-6b92e8e3 90->99 91->7 110 6b92ecce-6b92ecdc call 6b9d6770 call 6b77dd40 92->110 108 6b92e8e9 99->108 109 6b92eacf-6b92ead5 99->109 103->4 104->104 107->110 116 6b92e8eb-6b92e8f0 108->116 117 6b92e938-6b92e98b ReleaseSRWLockExclusive GetCurrentProcess DuplicateHandle 108->117 109->99 111 6b92eadb 109->111 110->103 111->17 116->99 119 6b92e8f2-6b92e902 call 6b9a3359 116->119 121 6b92e990-6b92e9ca call 6b82dd80 GetCurrentProcess DuplicateHandle 117->121 122 6b92e98d 117->122 119->80 137 6b92e908-6b92e923 119->137 138 6b92e9cf-6b92ea0c call 6b82dd80 GetCurrentProcess DuplicateHandle 121->138 139 6b92e9cc 121->139 122->121 141 6b92ea45-6b92ea47 137->141 142 6b92e929-6b92e935 call 6b959bb0 137->142 146 6b92ea11-6b92ea2e call 6b82dd80 call 6b928a10 138->146 147 6b92ea0e 138->147 139->138 141->91 142->117 146->5 147->146
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • OpenProcess.KERNEL32(001F0FFF,00000000,?), ref: 6B92E7B6
                                                                                                                                                                                                                                • TryAcquireSRWLockExclusive.KERNEL32(3275000C), ref: 6B92E7D4
                                                                                                                                                                                                                                • CreateEventW.KERNEL32 ref: 6B92E821
                                                                                                                                                                                                                                • CreateEventW.KERNEL32 ref: 6B92E841
                                                                                                                                                                                                                                • CreateEventW.KERNEL32 ref: 6B92E85C
                                                                                                                                                                                                                                • ReleaseSRWLockExclusive.KERNEL32(?), ref: 6B92E93E
                                                                                                                                                                                                                                • GetCurrentProcess.KERNEL32 ref: 6B92E96A
                                                                                                                                                                                                                                • DuplicateHandle.KERNEL32(00000000,?,?,?,00100002,00000000,00000000), ref: 6B92E983
                                                                                                                                                                                                                                • GetCurrentProcess.KERNEL32 ref: 6B92E9AB
                                                                                                                                                                                                                                • DuplicateHandle.KERNEL32(00000000,?,?,?,00100002,00000000,00000000), ref: 6B92E9C2
                                                                                                                                                                                                                                • GetCurrentProcess.KERNEL32 ref: 6B92E9EA
                                                                                                                                                                                                                                • DuplicateHandle.KERNEL32(00000000,?,?,?,00100002,00000000,00000000), ref: 6B92EA01
                                                                                                                                                                                                                                • __Init_thread_header.LIBCMT ref: 6B92EAE5
                                                                                                                                                                                                                                • __Init_thread_footer.LIBCMT ref: 6B92EB18
                                                                                                                                                                                                                                • ImpersonateNamedPipeClient.ADVAPI32(C72674FF), ref: 6B92EB49
                                                                                                                                                                                                                                • OpenProcess.KERNEL32(001F0FFF,00000000,?), ref: 6B92EB5D
                                                                                                                                                                                                                                • RevertToSelf.ADVAPI32 ref: 6B92EB69
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.3399244269.000000006B701000.00000020.00000001.01000000.0000001D.sdmp, Offset: 6B700000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399188049.000000006B700000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399654118.000000006BA33000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399776148.000000006BAB9000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399838229.000000006BABA000.00000008.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399899159.000000006BABB000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399941065.000000006BACE000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3400013365.000000006BAD3000.00000020.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3400088024.000000006BAD6000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_6b700000_T2RIU3FpH6dczIGTG32vuvvE.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: Process$CreateCurrentDuplicateEventHandle$ExclusiveLockOpen$AcquireClientImpersonateInit_thread_footerInit_thread_headerNamedPipeReleaseRevertSelf
                                                                                                                                                                                                                                • String ID: expecting: $, got: $..\..\third_party\crashpad\crashpad\util\win\exception_handler_server.cc$..\..\third_party\libc++\src\include\__memory\construct_at.h:40: assertion __location != nullptr failed: null pointer given to construct_at$::GetNamedPipeClientProcessId$ImpersonateNamedPipeClient$ServiceClientConnection$failed to open $forged client pid, real pid: $forged shutdown request, got: $kernel32.dll$unexpected version. got: $unhandled message type:
                                                                                                                                                                                                                                • API String ID: 148007397-3007050188
                                                                                                                                                                                                                                • Opcode ID: d7bdd5cc153306b587b5b9e6ba01bfb8e6570ba1087ae0b591d95d82edc1764e
                                                                                                                                                                                                                                • Instruction ID: 7739689b1dc71012605f4fac79daf4562604f2679a73bffa9871847572de6557
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d7bdd5cc153306b587b5b9e6ba01bfb8e6570ba1087ae0b591d95d82edc1764e
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B102B270D603049FEF10DF78CC86BA977B8BF59308F0085A9E909A7295EB34D985CB61
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 6B9D65F0 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 180COMMON
                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                control_flow_graph 153 6b9d65f0-6b9d65fb 154 6b9d65fd-6b9d660d call 6b9c0630 153->154 155 6b9d666a 153->155 160 6b9d660f-6b9d6614 154->160 161 6b9d6679-6b9d668b call 6b9d6720 154->161 157 6b9d666f-6b9d6674 call 6b9d98a0 155->157 157->161 162 6b9d6635-6b9d6638 160->162 163 6b9d6616-6b9d6633 call 6b9a3359 160->163 169 6b9d668d-6b9d669d call 6b9c0864 161->169 170 6b9d6703 161->170 165 6b9d663a-6b9d6642 162->165 163->165 171 6b9d6648-6b9d664a 165->171 172 6b9d6644-6b9d6646 165->172 181 6b9d669f-6b9d66a4 169->181 182 6b9d6712-6b9d6714 call 6b9d6720 169->182 174 6b9d6708-6b9d670d call 6b9d98a0 170->174 176 6b9d664c-6b9d6654 call 6b9a6f80 171->176 177 6b9d6657-6b9d6660 171->177 172->171 175 6b9d6663-6b9d6668 172->175 174->182 175->157 176->177 184 6b9d66ca-6b9d66cd 181->184 185 6b9d66a6-6b9d66ac 181->185 188 6b9d6719-6b9d672f call 6b9d6740 call 6b9d6730 182->188 189 6b9d66cf-6b9d66d7 184->189 187 6b9d66ae-6b9d66b2 call 6b9a3359 185->187 185->188 194 6b9d66b7-6b9d66c8 187->194 192 6b9d66dd-6b9d66df 189->192 193 6b9d66d9-6b9d66db 189->193 197 6b9d66ee-6b9d66f9 192->197 198 6b9d66e1-6b9d66eb call 6b9a6f80 192->198 193->192 196 6b9d66fc-6b9d6701 193->196 194->189 196->174 198->197
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                • bad_array_new_length was thrown in -fno-exceptions mode, xrefs: 6B9D6743
                                                                                                                                                                                                                                • ..\..\third_party\libc++\src\include\__string\char_traits.h:222: assertion !std::__is_pointer_in_range(__s1, __s1 + __n, __s2) failed: char_traits::copy: source and destination ranges overlap, xrefs: 6B9D66FC
                                                                                                                                                                                                                                • basic_string, xrefs: 6B9D6723, 6B9D6753
                                                                                                                                                                                                                                • out_of_range was thrown in -fno-exceptions mode with message "%s", xrefs: 6B9D6766
                                                                                                                                                                                                                                • length_error was thrown in -fno-exceptions mode with message "%s", xrefs: 6B9D6736
                                                                                                                                                                                                                                • ..\..\third_party\libc++\src\include\string:973: assertion __s != nullptr failed: basic_string(const char*) detected nullptr, xrefs: 6B9D666A, 6B9D6703
                                                                                                                                                                                                                                • 01, xrefs: 6B9D676B
                                                                                                                                                                                                                                • ..\..\third_party\libc++\src\include\__string\char_traits.h:145: assertion !std::__is_pointer_in_range(__s1, __s1 + __n, __s2) failed: char_traits::copy: source and destination ranges overlap, xrefs: 6B9D6663
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.3399244269.000000006B701000.00000020.00000001.01000000.0000001D.sdmp, Offset: 6B700000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399188049.000000006B700000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399654118.000000006BA33000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399776148.000000006BAB9000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399838229.000000006BABA000.00000008.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399899159.000000006BABB000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399941065.000000006BACE000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3400013365.000000006BAD3000.00000020.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3400088024.000000006BAD6000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_6b700000_T2RIU3FpH6dczIGTG32vuvvE.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: _strlen
                                                                                                                                                                                                                                • String ID: ..\..\third_party\libc++\src\include\__string\char_traits.h:145: assertion !std::__is_pointer_in_range(__s1, __s1 + __n, __s2) failed: char_traits::copy: source and destination ranges overlap$..\..\third_party\libc++\src\include\__string\char_traits.h:222: assertion !std::__is_pointer_in_range(__s1, __s1 + __n, __s2) failed: char_traits::copy: source and destination ranges overlap$..\..\third_party\libc++\src\include\string:973: assertion __s != nullptr failed: basic_string(const char*) detected nullptr$bad_array_new_length was thrown in -fno-exceptions mode$basic_string$length_error was thrown in -fno-exceptions mode with message "%s"$out_of_range was thrown in -fno-exceptions mode with message "%s"$01
                                                                                                                                                                                                                                • API String ID: 4218353326-118191342
                                                                                                                                                                                                                                • Opcode ID: 044bc93eaa2efa7fdb0a850c24911e6bf90834b2557b11c4e6733c8d073f8096
                                                                                                                                                                                                                                • Instruction ID: 0f87e95717cb517a2f35b8cd591e33dc53d0db7cbdfa094d6a295ef829b3239b
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 044bc93eaa2efa7fdb0a850c24911e6bf90834b2557b11c4e6733c8d073f8096
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 13510571A007096FDB105EBADC95A5B7BADEB5265CF50843AE614C7200EB79E840C7E2
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 6B86EEF0 Relevance: 15.1, APIs: 10, Instructions: 121threadCOMMON
                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • GetCurrentProcess.KERNEL32 ref: 6B86EF26
                                                                                                                                                                                                                                • GetCurrentThread.KERNEL32 ref: 6B86EF2A
                                                                                                                                                                                                                                • GetCurrentProcess.KERNEL32 ref: 6B86EF32
                                                                                                                                                                                                                                • DuplicateHandle.KERNELBASE(00000000,00000000,00000000,00000002,00000000,00000000,00000002), ref: 6B86EF44
                                                                                                                                                                                                                                • GetLastError.KERNEL32 ref: 6B86EF5C
                                                                                                                                                                                                                                • SetLastError.KERNEL32(00000000), ref: 6B86EF73
                                                                                                                                                                                                                                • GetCurrentThreadId.KERNEL32 ref: 6B86EF80
                                                                                                                                                                                                                                • GetCurrentThreadId.KERNEL32 ref: 6B86EFDD
                                                                                                                                                                                                                                • GetCurrentThread.KERNEL32 ref: 6B86EFEC
                                                                                                                                                                                                                                • GetThreadPriority.KERNEL32(00000000), ref: 6B86EFF3
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.3399244269.000000006B701000.00000020.00000001.01000000.0000001D.sdmp, Offset: 6B700000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399188049.000000006B700000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399654118.000000006BA33000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399776148.000000006BAB9000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399838229.000000006BABA000.00000008.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399899159.000000006BABB000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399941065.000000006BACE000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3400013365.000000006BAD3000.00000020.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3400088024.000000006BAD6000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_6b700000_T2RIU3FpH6dczIGTG32vuvvE.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: Current$Thread$ErrorLastProcess$DuplicateHandlePriority
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1544239892-0
                                                                                                                                                                                                                                • Opcode ID: a512a026b87f690b215fb5f4902209fe5082dde2dd4c70349ea2618ac2b85c30
                                                                                                                                                                                                                                • Instruction ID: fed126377a8f447606a2a0b19a4d2e66ea1eee52ac56952ac5a7742d04dd51f8
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a512a026b87f690b215fb5f4902209fe5082dde2dd4c70349ea2618ac2b85c30
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F7311675E043059BEB00AFB8CC4996F7B69EF85258B004D29E911D3241EB38DC02C7A2
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 6B92E530 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 76pipeCOMMON
                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • GetLastError.KERNEL32 ref: 6B92E557
                                                                                                                                                                                                                                • DisconnectNamedPipe.KERNELBASE(?), ref: 6B92E569
                                                                                                                                                                                                                                • ConnectNamedPipe.KERNELBASE(?,00000000), ref: 6B92E570
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                • ConnectNamedPipe, xrefs: 6B92E5F6
                                                                                                                                                                                                                                • ..\..\third_party\crashpad\crashpad\util\win\exception_handler_server.cc, xrefs: 6B92E5EA
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.3399244269.000000006B701000.00000020.00000001.01000000.0000001D.sdmp, Offset: 6B700000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399188049.000000006B700000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399654118.000000006BA33000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399776148.000000006BAB9000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399838229.000000006BABA000.00000008.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399899159.000000006BABB000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399941065.000000006BACE000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3400013365.000000006BAD3000.00000020.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3400088024.000000006BAD6000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_6b700000_T2RIU3FpH6dczIGTG32vuvvE.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: NamedPipe$ConnectDisconnectErrorLast
                                                                                                                                                                                                                                • String ID: ..\..\third_party\crashpad\crashpad\util\win\exception_handler_server.cc$ConnectNamedPipe
                                                                                                                                                                                                                                • API String ID: 30367271-692259547
                                                                                                                                                                                                                                • Opcode ID: 2384d4c44c8bae7faf54f37c6b2d79829ef22bf1a99e2ab631a32b54274d953b
                                                                                                                                                                                                                                • Instruction ID: 912d4e59e2998a7c02fd3a11913a198209b373a381e98d4e38261469059a321a
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 2384d4c44c8bae7faf54f37c6b2d79829ef22bf1a99e2ab631a32b54274d953b
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0B2138B0D30704ABEF10DB34DC86FAA776C6F5271CF004464D91493299EB7DE555C6A2
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 6B9C36AB Relevance: 2.6, APIs: 2, Instructions: 67COMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • GetLastError.KERNEL32(?,?,6B9B53FD,6B9C25A0,?,00000000,?,6B9A540E,00000000,?,?,?,?,?,?,6B9EAED7), ref: 6B9C36AF
                                                                                                                                                                                                                                • SetLastError.KERNEL32(00000000,00000008,000000FF), ref: 6B9C3751
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.3399244269.000000006B701000.00000020.00000001.01000000.0000001D.sdmp, Offset: 6B700000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399188049.000000006B700000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399654118.000000006BA33000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399776148.000000006BAB9000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399838229.000000006BABA000.00000008.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399899159.000000006BABB000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399941065.000000006BACE000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3400013365.000000006BAD3000.00000020.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3400088024.000000006BAD6000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_6b700000_T2RIU3FpH6dczIGTG32vuvvE.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ErrorLast
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1452528299-0
                                                                                                                                                                                                                                • Opcode ID: 6c860a95b73328759c44ecd25abf3f0815fbebca91697e2cba23bffdd0e17ba1
                                                                                                                                                                                                                                • Instruction ID: 99258e323ce89b718f60426ed93979b0f6429c7b0bf2f44f231e0b9c11519e16
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 6c860a95b73328759c44ecd25abf3f0815fbebca91697e2cba23bffdd0e17ba1
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 9611E97121C3106FFB2126789DC6E473B6CAF12BACB100634F124931A1DB3CC9058263
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Non-executed Functions

                                                                                                                                                                                                                                Function 6B889C20 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 193windowCOMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • FormatMessageW.KERNEL32(00001300,00000000,6B889E89,00000000,?,00000000,00000000,?,?,?,?,?,?,?,?,00000000), ref: 6B889C4B
                                                                                                                                                                                                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,?,6B889E89,?,?), ref: 6B889C55
                                                                                                                                                                                                                                • LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 6B889CB2
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                • ..\..\third_party\libc++\src\include\string_view:316: assertion __len == 0 || __s != nullptr failed: string_view::string_view(_CharT *, size_t): received nullptr, xrefs: 6B889DB4
                                                                                                                                                                                                                                • ..\..\third_party\libc++\src\include\string_view:314: assertion __len <= static_cast<size_type>(numeric_limits<difference_type>::max()) failed: string_view::string_view(_CharT *, size_t): length does not fit in difference_type, xrefs: 6B889DC2
                                                                                                                                                                                                                                • (0x%lX), xrefs: 6B889CC3
                                                                                                                                                                                                                                • ..\..\third_party\libc++\src\include\string_view:267: assertion __s != nullptr failed: null pointer passed to non-null argument of char_traits<...>::length, xrefs: 6B889DBB
                                                                                                                                                                                                                                • Error (0x%lX) while retrieving error. (0x%lX), xrefs: 6B889C5D
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.3399244269.000000006B701000.00000020.00000001.01000000.0000001D.sdmp, Offset: 6B700000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399188049.000000006B700000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399654118.000000006BA33000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399776148.000000006BAB9000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399838229.000000006BABA000.00000008.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399899159.000000006BABB000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399941065.000000006BACE000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3400013365.000000006BAD3000.00000020.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3400088024.000000006BAD6000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_6b700000_T2RIU3FpH6dczIGTG32vuvvE.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ErrorFormatFreeLastLocalMessage
                                                                                                                                                                                                                                • String ID: (0x%lX)$..\..\third_party\libc++\src\include\string_view:267: assertion __s != nullptr failed: null pointer passed to non-null argument of char_traits<...>::length$..\..\third_party\libc++\src\include\string_view:314: assertion __len <= static_cast<size_type>(numeric_limits<difference_type>::max()) failed: string_view::string_view(_CharT *, size_t): length does not fit in difference_type$..\..\third_party\libc++\src\include\string_view:316: assertion __len == 0 || __s != nullptr failed: string_view::string_view(_CharT *, size_t): received nullptr$Error (0x%lX) while retrieving error. (0x%lX)
                                                                                                                                                                                                                                • API String ID: 1365068426-2639129309
                                                                                                                                                                                                                                • Opcode ID: 0e3f090218453dacf67281586035a7b71ad050e120b2a4195c27082607167e6d
                                                                                                                                                                                                                                • Instruction ID: 18db37a9e80dd59c004519510673c56da6c4c424ee18d5fc432c98e14ebedcd6
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 0e3f090218453dacf67281586035a7b71ad050e120b2a4195c27082607167e6d
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A851E4B1E04204AFEF11DF74CC45AEFBBB9AF55348F04442DE846A7212EB39A945C7A1
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 6B9C83B7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002,00000000,?,?,?,6B9C7D6D,?,?), ref: 6B9C8450
                                                                                                                                                                                                                                • GetLocaleInfoW.KERNEL32(?,20001004,?,00000002,00000000,?,?,?,6B9C7D6D,?,?), ref: 6B9C8479
                                                                                                                                                                                                                                • GetACP.KERNEL32(?,?,6B9C7D6D,?,?), ref: 6B9C848E
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.3399244269.000000006B701000.00000020.00000001.01000000.0000001D.sdmp, Offset: 6B700000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399188049.000000006B700000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399654118.000000006BA33000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399776148.000000006BAB9000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399838229.000000006BABA000.00000008.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399899159.000000006BABB000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399941065.000000006BACE000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3400013365.000000006BAD3000.00000020.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3400088024.000000006BAD6000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_6b700000_T2RIU3FpH6dczIGTG32vuvvE.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: InfoLocale
                                                                                                                                                                                                                                • String ID: ACP$OCP
                                                                                                                                                                                                                                • API String ID: 2299586839-711371036
                                                                                                                                                                                                                                • Opcode ID: 58ab863218c4c7e168170ddb24c014bbc39f5ad3b6478868525a5b21a8455670
                                                                                                                                                                                                                                • Instruction ID: 6d28155c401e42ad5a12dc21e3f00b84458ac180444ac7bdaa4ab99df4ae7b15
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 58ab863218c4c7e168170ddb24c014bbc39f5ad3b6478868525a5b21a8455670
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8A21C572A04201ABE72CCF14C881BAB77BEEF45F54B9288A4E909DB110E73ADD41C353
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 6B9C7C37 Relevance: 7.7, APIs: 5, Instructions: 182COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                  • Part of subcall function 6B9C355A: GetLastError.KERNEL32(00000000,?,6B9BFC5D), ref: 6B9C355E
                                                                                                                                                                                                                                  • Part of subcall function 6B9C355A: SetLastError.KERNEL32(00000000,?,?,00000016,6B9A8A7B), ref: 6B9C3600
                                                                                                                                                                                                                                • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 6B9C7D3F
                                                                                                                                                                                                                                • IsValidCodePage.KERNEL32(?), ref: 6B9C7D7D
                                                                                                                                                                                                                                • IsValidLocale.KERNEL32(?,00000001), ref: 6B9C7D90
                                                                                                                                                                                                                                • GetLocaleInfoW.KERNEL32(?,00001001,?,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 6B9C7DD8
                                                                                                                                                                                                                                • GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 6B9C7DF3
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.3399244269.000000006B701000.00000020.00000001.01000000.0000001D.sdmp, Offset: 6B700000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399188049.000000006B700000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399654118.000000006BA33000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399776148.000000006BAB9000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399838229.000000006BABA000.00000008.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399899159.000000006BABB000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399941065.000000006BACE000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3400013365.000000006BAD3000.00000020.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3400088024.000000006BAD6000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_6b700000_T2RIU3FpH6dczIGTG32vuvvE.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 415426439-0
                                                                                                                                                                                                                                • Opcode ID: 9a1684c9a616882f8a664f05f7abbf13c1d4328e88537a38eebce0d82f811884
                                                                                                                                                                                                                                • Instruction ID: 1888fc9d23caf66101bc10ad73dcbf01c9cc3c0e444e152da232e394a90b12f0
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 9a1684c9a616882f8a664f05f7abbf13c1d4328e88537a38eebce0d82f811884
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D7513F72A00205ABEF10DFA5CC45ABB7BBCBF15704F104469E910EB151DB78D9418B63
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 6B9AD960 Relevance: 6.5, APIs: 4, Instructions: 455COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.3399244269.000000006B701000.00000020.00000001.01000000.0000001D.sdmp, Offset: 6B700000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399188049.000000006B700000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399654118.000000006BA33000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399776148.000000006BAB9000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399838229.000000006BABA000.00000008.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399899159.000000006BABB000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399941065.000000006BACE000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3400013365.000000006BAD3000.00000020.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3400088024.000000006BAD6000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_6b700000_T2RIU3FpH6dczIGTG32vuvvE.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 1d2fca1aa51c1dee48d6e65cd30f053d14d7f57256149e23afecdc9cc702f876
                                                                                                                                                                                                                                • Instruction ID: de7ec31d98f0e0d7ab9408e83958b8eb1f13cf77c1b8501faf09bc06ca0fe01b
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 1d2fca1aa51c1dee48d6e65cd30f053d14d7f57256149e23afecdc9cc702f876
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6F024B71E412199BDB14CFA9C9807AEFBB5FF48314F2582A9D919E7380D735AA01CB90
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 6B906BE0 Relevance: 3.0, APIs: 2, Instructions: 24libraryloaderCOMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • LoadLibraryW.KERNEL32(?,?,6B92EB0B,kernel32.dll,::GetNamedPipeClientProcessId,00000000), ref: 6B906BE6
                                                                                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,?), ref: 6B906C10
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.3399244269.000000006B701000.00000020.00000001.01000000.0000001D.sdmp, Offset: 6B700000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399188049.000000006B700000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399654118.000000006BA33000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399776148.000000006BAB9000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399838229.000000006BABA000.00000008.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399899159.000000006BABB000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399941065.000000006BACE000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3400013365.000000006BAD3000.00000020.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3400088024.000000006BAD6000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_6b700000_T2RIU3FpH6dczIGTG32vuvvE.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: AddressLibraryLoadProc
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 2574300362-0
                                                                                                                                                                                                                                • Opcode ID: cab294e94e4b3c378224ae7e6de5ade111c752684a49ad2087dc9a4c85bb26f0
                                                                                                                                                                                                                                • Instruction ID: f4da939cd773a16ee0ed64234b516bb78865c485fe0356ed51106c355174f44e
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: cab294e94e4b3c378224ae7e6de5ade111c752684a49ad2087dc9a4c85bb26f0
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F2E09AA0A482A06AFB010A21C8046263F6EDB47358B58C48EE25A49021DF3BC892C211
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 6B889190 Relevance: 23.1, APIs: 5, Strings: 8, Instructions: 354timeCOMMON
                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                control_flow_graph 399 6b889190-6b8891a8 400 6b8891ae-6b8891c2 call 6b9c0630 399->400 401 6b8894c4-6b8894c9 399->401 406 6b8891c4-6b8891c8 400->406 402 6b8894d0-6b8894d5 call 6b9d98a0 401->402 407 6b8894da-6b8894df 402->407 408 6b8891ca-6b8891d4 406->408 409 6b8891f5-6b889218 call 6b9d6770 406->409 410 6b8891db-6b8891e1 408->410 411 6b8891d6-6b8891d9 408->411 417 6b88921e-6b889225 409->417 418 6b889557-6b88957d call 6b9c0630 call 6b9d6770 * 2 409->418 410->409 413 6b8891e3-6b8891e5 410->413 411->406 411->410 415 6b8891eb-6b8891f3 413->415 416 6b8894b6-6b8894bb 413->416 415->409 416->402 420 6b889251-6b88925b 417->420 421 6b889227-6b88924e call 6b8ec240 call 6b8ec220 call 6b9d6770 417->421 434 6b889585-6b8895bb call 6b963380 call 6b9639b0 call 6b9634c0 418->434 423 6b88925d-6b88927b call 6b966380 call 6b77dd40 call 6b9d6770 420->423 424 6b88927e-6b889285 420->424 421->420 423->424 428 6b88928b-6b8892ae GetLocalTime 424->428 429 6b889376-6b88937d 424->429 433 6b8892b4-6b889373 call 6b77d8d0 * 2 call 6b9d6770 call 6b77d8d0 * 3 call 6b9d6770 call 6b77d8d0 call 6b9d6770 428->433 428->434 436 6b88952e-6b88954f GetTickCount call 6b77e1a0 call 6b9d6770 429->436 437 6b889383-6b88938b 429->437 433->429 436->418 438 6b889509-6b889529 call 6b9d6770 call 6b77db10 437->438 439 6b889391-6b889394 437->439 438->436 439->407 446 6b88939a-6b889408 call 6b9c0630 call 6b9d6770 * 4 call 6b77db10 call 6b9d6770 439->446 496 6b8894ec-6b8894f5 446->496 497 6b88940e-6b889416 446->497 501 6b889439 496->501 502 6b8894fb-6b889504 496->502 499 6b889418-6b88941b 497->499 500 6b88941d 497->500 499->500 504 6b889420-6b889422 500->504 505 6b88943c-6b889444 501->505 502->504 506 6b889428-6b88942e 504->506 507 6b8894cb 504->507 508 6b88944a-6b88944c 505->508 509 6b889446-6b889448 505->509 510 6b8894e4-6b8894e7 call 6b9d6720 506->510 511 6b889434-6b889437 506->511 507->402 513 6b88945b-6b889464 508->513 514 6b88944e-6b889458 call 6b9a6f80 508->514 509->508 512 6b8894bd-6b8894c2 509->512 510->496 511->501 516 6b889493-6b8894b4 call 6b9a3359 511->516 512->402 518 6b889469-6b889472 513->518 519 6b889466 513->519 514->513 516->505 520 6b88947f-6b889490 call 6b9a3b9b 518->520 521 6b889474-6b88947c call 6b9a3389 518->521 519->518 521->520
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                • UNKNOWN, xrefs: 6B8894DA
                                                                                                                                                                                                                                • :, xrefs: 6B88956D
                                                                                                                                                                                                                                • ..\..\third_party\libc++\src\include\string_view:267: assertion __s != nullptr failed: null pointer passed to non-null argument of char_traits<...>::length, xrefs: 6B8894C4
                                                                                                                                                                                                                                • )] , xrefs: 6B8893F5
                                                                                                                                                                                                                                • ..\..\third_party\libc++\src\include\string_view:418: assertion __n <= size() failed: remove_prefix() can't remove more than size(), xrefs: 6B8894B6
                                                                                                                                                                                                                                • VERBOSE, xrefs: 6B88950B
                                                                                                                                                                                                                                • ..\..\third_party\libc++\src\include\string_view:326: assertion (__end - __begin) >= 0 failed: std::string_view::string_view(iterator, sentinel) received invalid range, xrefs: 6B8894CB
                                                                                                                                                                                                                                • ..\..\third_party\libc++\src\include\__string\char_traits.h:145: assertion !std::__is_pointer_in_range(__s1, __s1 + __n, __s2) failed: char_traits::copy: source and destination ranges overlap, xrefs: 6B8894BD
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.3399244269.000000006B701000.00000020.00000001.01000000.0000001D.sdmp, Offset: 6B700000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399188049.000000006B700000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399654118.000000006BA33000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399776148.000000006BAB9000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399838229.000000006BABA000.00000008.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399899159.000000006BABB000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399941065.000000006BACE000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3400013365.000000006BAD3000.00000020.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3400088024.000000006BAD6000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_6b700000_T2RIU3FpH6dczIGTG32vuvvE.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: _strlen$CountLocalTickTime
                                                                                                                                                                                                                                • String ID: )] $..\..\third_party\libc++\src\include\__string\char_traits.h:145: assertion !std::__is_pointer_in_range(__s1, __s1 + __n, __s2) failed: char_traits::copy: source and destination ranges overlap$..\..\third_party\libc++\src\include\string_view:267: assertion __s != nullptr failed: null pointer passed to non-null argument of char_traits<...>::length$..\..\third_party\libc++\src\include\string_view:326: assertion (__end - __begin) >= 0 failed: std::string_view::string_view(iterator, sentinel) received invalid range$..\..\third_party\libc++\src\include\string_view:418: assertion __n <= size() failed: remove_prefix() can't remove more than size()$:$UNKNOWN$VERBOSE
                                                                                                                                                                                                                                • API String ID: 3535325690-3909393061
                                                                                                                                                                                                                                • Opcode ID: 598430d8f230bc35f47024f8e5e66ec1040d16547374bf16824b00183ea344c4
                                                                                                                                                                                                                                • Instruction ID: e8b990a003efc8bd64ae0c13d2c2d06db421d2a0fbaa7dfbc5e4afe13c170f0f
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 598430d8f230bc35f47024f8e5e66ec1040d16547374bf16824b00183ea344c4
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: BCC1F5B5E00208AFDF14CB74D855AAE77B8EF5A30CF044469E80577292EB79AD05CBA1
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 6B890D10 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 98COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                • FeatureList-feature-accessed-too-early, xrefs: 6B890E19
                                                                                                                                                                                                                                • true, xrefs: 6B890D79
                                                                                                                                                                                                                                • false, xrefs: 6B890D7E, 6B890DB3
                                                                                                                                                                                                                                • ..\..\third_party\libc++\src\include\string_view:267: assertion __s != nullptr failed: null pointer passed to non-null argument of char_traits<...>::length, xrefs: 6B890DEB
                                                                                                                                                                                                                                • FeatureList-early-access-allow-list, xrefs: 6B890E59
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.3399244269.000000006B701000.00000020.00000001.01000000.0000001D.sdmp, Offset: 6B700000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399188049.000000006B700000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399654118.000000006BA33000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399776148.000000006BAB9000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399838229.000000006BABA000.00000008.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399899159.000000006BABB000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399941065.000000006BACE000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3400013365.000000006BAD3000.00000020.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3400088024.000000006BAD6000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_6b700000_T2RIU3FpH6dczIGTG32vuvvE.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: Init_thread_footerInit_thread_header$_strlen
                                                                                                                                                                                                                                • String ID: ..\..\third_party\libc++\src\include\string_view:267: assertion __s != nullptr failed: null pointer passed to non-null argument of char_traits<...>::length$FeatureList-early-access-allow-list$FeatureList-feature-accessed-too-early$false$true
                                                                                                                                                                                                                                • API String ID: 3247314413-900038432
                                                                                                                                                                                                                                • Opcode ID: 964bb2392bdff0272d43806a266d14d82a2945260db9e6b4adcf0ff3d15d492f
                                                                                                                                                                                                                                • Instruction ID: 1626a5032bdfdd069ff743821123556350e35088654a640bf854d6c7d05476ee
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 964bb2392bdff0272d43806a266d14d82a2945260db9e6b4adcf0ff3d15d492f
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 9E3105B1D442049FDF20EF78DC46EAE77B0FB56718F004569D4115B281E739E886CAE2
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 6B92EDD0 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 111registryCOMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • RegisterWaitForSingleObject.KERNEL32(?,?,?,?,000000FF,00000000), ref: 6B92EDF9
                                                                                                                                                                                                                                • RegisterWaitForSingleObject.KERNEL32(?,?,?,?,000000FF,00000000), ref: 6B92EE13
                                                                                                                                                                                                                                • RegisterWaitForSingleObject.KERNEL32(?,?,?,?,000000FF,00000008), ref: 6B92EE2A
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                • RegisterWaitForSingleObject crash dump requested, xrefs: 6B92EE7E
                                                                                                                                                                                                                                • RegisterWaitForSingleObject process end, xrefs: 6B92EF18
                                                                                                                                                                                                                                • ..\..\third_party\crashpad\crashpad\util\win\exception_handler_server.cc, xrefs: 6B92EE6C, 6B92EEB9, 6B92EF06
                                                                                                                                                                                                                                • RegisterWaitForSingleObject non-crash dump requested, xrefs: 6B92EECB
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.3399244269.000000006B701000.00000020.00000001.01000000.0000001D.sdmp, Offset: 6B700000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399188049.000000006B700000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399654118.000000006BA33000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399776148.000000006BAB9000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399838229.000000006BABA000.00000008.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399899159.000000006BABB000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399941065.000000006BACE000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3400013365.000000006BAD3000.00000020.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3400088024.000000006BAD6000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_6b700000_T2RIU3FpH6dczIGTG32vuvvE.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ObjectRegisterSingleWait
                                                                                                                                                                                                                                • String ID: ..\..\third_party\crashpad\crashpad\util\win\exception_handler_server.cc$RegisterWaitForSingleObject crash dump requested$RegisterWaitForSingleObject non-crash dump requested$RegisterWaitForSingleObject process end
                                                                                                                                                                                                                                • API String ID: 1092942010-2013388152
                                                                                                                                                                                                                                • Opcode ID: ebc114c9917e8f435fb1e7f27b30e13eb73c74f441b426106fce882eecbaee6e
                                                                                                                                                                                                                                • Instruction ID: a58d2bbe10474af6ae29349a814ac32c2901df6eb6e3574e91eb966004ddd360
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ebc114c9917e8f435fb1e7f27b30e13eb73c74f441b426106fce882eecbaee6e
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: BF313A71A503147BEE209A749C4BFAE3B7DAF41718F404438F625672C6DB38EA08C672
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 6B9C5801 Relevance: 10.8, APIs: 7, Instructions: 329COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.3399244269.000000006B701000.00000020.00000001.01000000.0000001D.sdmp, Offset: 6B700000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399188049.000000006B700000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399654118.000000006BA33000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399776148.000000006BAB9000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399838229.000000006BABA000.00000008.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399899159.000000006BABB000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399941065.000000006BACE000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3400013365.000000006BAD3000.00000020.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3400088024.000000006BAD6000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_6b700000_T2RIU3FpH6dczIGTG32vuvvE.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: _strrchr
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 3213747228-0
                                                                                                                                                                                                                                • Opcode ID: 20edee776f376f9c7d81a41635e786f58393c476568771fd663273798316f5b8
                                                                                                                                                                                                                                • Instruction ID: 829df29353bd54407933fe4de52080c93ac25cdf391c6edbedb4c1807a08fbec
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 20edee776f376f9c7d81a41635e786f58393c476568771fd663273798316f5b8
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 34B13A72D043559FDB018F64CC82BAF7BB9EF5A314F154196E608AB282D778D901C7A3
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 6B9D9E40 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 158COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • _strlen.LIBCMT ref: 6B9D9F62
                                                                                                                                                                                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B9D9FB7
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.3399244269.000000006B701000.00000020.00000001.01000000.0000001D.sdmp, Offset: 6B700000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399188049.000000006B700000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399654118.000000006BA33000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399776148.000000006BAB9000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399838229.000000006BABA000.00000008.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399899159.000000006BABB000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399941065.000000006BACE000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3400013365.000000006BAD3000.00000020.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3400088024.000000006BAD6000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_6b700000_T2RIU3FpH6dczIGTG32vuvvE.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@_strlen
                                                                                                                                                                                                                                • String ID: %*s:%s$%s%s %s$[%03u.%03u] $[printf format error]
                                                                                                                                                                                                                                • API String ID: 2172594012-3351823563
                                                                                                                                                                                                                                • Opcode ID: 872e0fe2aacfec7f5c04cb6736c17c1042c44d667f82e87f0f76a7be618479ab
                                                                                                                                                                                                                                • Instruction ID: 9836c5bff280d23d19b67a8677bd343663ea855ed37e47a536a85f1374ec1231
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 872e0fe2aacfec7f5c04cb6736c17c1042c44d667f82e87f0f76a7be618479ab
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A65169B2D047416BEB00AF34CC46E6BBB69EFD6318F00CA2DF95952181EB39D55487A2
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 6B9A5690 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 152COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • _ValidateLocalCookies.LIBCMT ref: 6B9A56C7
                                                                                                                                                                                                                                • ___except_validate_context_record.LIBVCRUNTIME ref: 6B9A56CF
                                                                                                                                                                                                                                • _ValidateLocalCookies.LIBCMT ref: 6B9A5758
                                                                                                                                                                                                                                • __IsNonwritableInCurrentImage.LIBCMT ref: 6B9A5783
                                                                                                                                                                                                                                • _ValidateLocalCookies.LIBCMT ref: 6B9A57D8
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.3399244269.000000006B701000.00000020.00000001.01000000.0000001D.sdmp, Offset: 6B700000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399188049.000000006B700000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399654118.000000006BA33000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399776148.000000006BAB9000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399838229.000000006BABA000.00000008.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399899159.000000006BABB000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399941065.000000006BACE000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3400013365.000000006BAD3000.00000020.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3400088024.000000006BAD6000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_6b700000_T2RIU3FpH6dczIGTG32vuvvE.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                                                                                                                                                • String ID: csm
                                                                                                                                                                                                                                • API String ID: 1170836740-1018135373
                                                                                                                                                                                                                                • Opcode ID: ea0ee7c894f819553575e0201ff4820166721714c4bc12cc405b4e529ff7d493
                                                                                                                                                                                                                                • Instruction ID: 8b2c0f50d0de5712cf927de2641e376f47cf5fa14254ea3810695cc7f8046a12
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ea0ee7c894f819553575e0201ff4820166721714c4bc12cc405b4e529ff7d493
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 63519834B04218DFCF00DF78C884A9E7BB5EF45318F158195D924AB361DB39EA42CB92
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 6B8D9720 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 151COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • TryAcquireSRWLockExclusive.KERNEL32(00000000), ref: 6B8D9736
                                                                                                                                                                                                                                  • Part of subcall function 6B9664C0: AcquireSRWLockExclusive.KERNEL32(6BAC0FDC,?,6B890BC2,?,6B890B85,00000003,00000000,?,6B894305,6BABBA84), ref: 6B9664C4
                                                                                                                                                                                                                                • ReleaseSRWLockExclusive.KERNEL32(00000000), ref: 6B8D9882
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                • id_to_handle_iter != thread_id_to_handle_.end(), xrefs: 6B8D9837
                                                                                                                                                                                                                                • handle_to_name_iter != thread_handle_to_interned_name_.end(), xrefs: 6B8D9797
                                                                                                                                                                                                                                • RemoveName, xrefs: 6B8D977E, 6B8D981E
                                                                                                                                                                                                                                • ..\..\base\threading\thread_id_name_manager.cc, xrefs: 6B8D9779, 6B8D9819
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.3399244269.000000006B701000.00000020.00000001.01000000.0000001D.sdmp, Offset: 6B700000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399188049.000000006B700000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399654118.000000006BA33000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399776148.000000006BAB9000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399838229.000000006BABA000.00000008.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399899159.000000006BABB000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399941065.000000006BACE000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3400013365.000000006BAD3000.00000020.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3400088024.000000006BAD6000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_6b700000_T2RIU3FpH6dczIGTG32vuvvE.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ExclusiveLock$Acquire$Release
                                                                                                                                                                                                                                • String ID: ..\..\base\threading\thread_id_name_manager.cc$RemoveName$handle_to_name_iter != thread_handle_to_interned_name_.end()$id_to_handle_iter != thread_id_to_handle_.end()
                                                                                                                                                                                                                                • API String ID: 1678258262-1713423127
                                                                                                                                                                                                                                • Opcode ID: a78653f2442565244bc2c4e419a52eb977514094ae95d0c37f526d26ce24957b
                                                                                                                                                                                                                                • Instruction ID: 426bcb79e2004c9e08d1a8291bf1d1b161793a9ecf526b1f0ec96435ae5e0c23
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a78653f2442565244bc2c4e419a52eb977514094ae95d0c37f526d26ce24957b
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C951F631F04205DFDF18DE39D86096A73F5BF94B09740496EE41A97241EB39E905CBA0
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 6B86EDA0 Relevance: 10.6, APIs: 7, Instructions: 99threadCOMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • GetCurrentThread.KERNEL32 ref: 6B86EDC5
                                                                                                                                                                                                                                • SetThreadPriority.KERNEL32(00000000,7FFFFFFF,?,6B86F040,?,?), ref: 6B86EDF3
                                                                                                                                                                                                                                • GetCurrentThread.KERNEL32 ref: 6B86EE36
                                                                                                                                                                                                                                • SetThreadInformation.KERNEL32(00000000,00000003,?,0000000C,?,6B86F040,?,?), ref: 6B86EE42
                                                                                                                                                                                                                                • SetThreadPriority.KERNEL32(00000000,00020000,?,6B86F040,?,?), ref: 6B86EE7D
                                                                                                                                                                                                                                • SetThreadPriority.KERNEL32(00000000,000000FE,?,6B86F040,?,?), ref: 6B86EEC3
                                                                                                                                                                                                                                • SetThreadInformation.KERNEL32(00000000,00000000,?,00000004,?,6B86F040,?,?), ref: 6B86EEDD
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.3399244269.000000006B701000.00000020.00000001.01000000.0000001D.sdmp, Offset: 6B700000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399188049.000000006B700000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399654118.000000006BA33000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399776148.000000006BAB9000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399838229.000000006BABA000.00000008.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399899159.000000006BABB000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399941065.000000006BACE000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3400013365.000000006BAD3000.00000020.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3400088024.000000006BAD6000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_6b700000_T2RIU3FpH6dczIGTG32vuvvE.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: Thread$Priority$CurrentInformation
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 3180331770-0
                                                                                                                                                                                                                                • Opcode ID: ef8941ad267e5d34845b324ad84c22454d27bf1c1a7f2147a739307fe9386bdd
                                                                                                                                                                                                                                • Instruction ID: 6c8e9202cc4033cd49cd52fbe2e166c50efd3f979505b82aa53ea4196d7ceb32
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ef8941ad267e5d34845b324ad84c22454d27bf1c1a7f2147a739307fe9386bdd
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 023138B1A5C3189FEB114FB88C487AA3B64EB0B7D2F004D65E97947291E77DC846C750
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 6B9C413E Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • FreeLibrary.KERNEL32(00000000), ref: 6B9C41FF
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.3399244269.000000006B701000.00000020.00000001.01000000.0000001D.sdmp, Offset: 6B700000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399188049.000000006B700000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399654118.000000006BA33000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399776148.000000006BAB9000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399838229.000000006BABA000.00000008.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399899159.000000006BABB000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399941065.000000006BACE000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3400013365.000000006BAD3000.00000020.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3400088024.000000006BAD6000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_6b700000_T2RIU3FpH6dczIGTG32vuvvE.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: FreeLibrary
                                                                                                                                                                                                                                • String ID: api-ms-$ext-ms-
                                                                                                                                                                                                                                • API String ID: 3664257935-537541572
                                                                                                                                                                                                                                • Opcode ID: 5273ab4dc64e68eceadc9fe06c7ca4a90c718756be0d0f46c7ea2a9c6bde66f9
                                                                                                                                                                                                                                • Instruction ID: c44684e22e0be3727b78709ca87eeaa5bc78962714d14f2bf3ea43eaa814aa13
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5273ab4dc64e68eceadc9fe06c7ca4a90c718756be0d0f46c7ea2a9c6bde66f9
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 3D210B35B453209BEB129F65CC46A8B37ACDB637A4B109151EC66A7390D738E901CBD3
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 6B9C16F1 Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • GetLastError.KERNEL32(?,00000001,6B9C16E8,6B9A57F4,00000011), ref: 6B9C16FF
                                                                                                                                                                                                                                • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6B9C170D
                                                                                                                                                                                                                                • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6B9C1726
                                                                                                                                                                                                                                • SetLastError.KERNEL32(00000000), ref: 6B9C1778
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.3399244269.000000006B701000.00000020.00000001.01000000.0000001D.sdmp, Offset: 6B700000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399188049.000000006B700000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399654118.000000006BA33000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399776148.000000006BAB9000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399838229.000000006BABA000.00000008.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399899159.000000006BABB000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399941065.000000006BACE000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3400013365.000000006BAD3000.00000020.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3400088024.000000006BAD6000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_6b700000_T2RIU3FpH6dczIGTG32vuvvE.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ErrorLastValue___vcrt_
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 3852720340-0
                                                                                                                                                                                                                                • Opcode ID: 752ec97fd4d2c0741cc71461a60c527e48b1c43d748845b29e6909b443629244
                                                                                                                                                                                                                                • Instruction ID: 6299accb5766f3abb9b92381d09e131d32be29b99ba81daeb5d285e6f254acfe
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 752ec97fd4d2c0741cc71461a60c527e48b1c43d748845b29e6909b443629244
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4D01FC3260C7319EFB051679AC965572F68DB13A7D730C63DE230860F0EF59C806A197
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 6B890E80 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 82COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                • ..\..\third_party\libc++\src\include\string_view:316: assertion __len == 0 || __s != nullptr failed: string_view::string_view(_CharT *, size_t): received nullptr, xrefs: 6B890EEC
                                                                                                                                                                                                                                • false, xrefs: 6B890E85, 6B890F13
                                                                                                                                                                                                                                • ..\..\third_party\libc++\src\include\string_view:314: assertion __len <= static_cast<size_type>(numeric_limits<difference_type>::max()) failed: string_view::string_view(_CharT *, size_t): length does not fit in difference_type, xrefs: 6B890EE5
                                                                                                                                                                                                                                • ..\..\third_party\libc++\src\include\string_view:267: assertion __s != nullptr failed: null pointer passed to non-null argument of char_traits<...>::length, xrefs: 6B890EF3
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.3399244269.000000006B701000.00000020.00000001.01000000.0000001D.sdmp, Offset: 6B700000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399188049.000000006B700000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399654118.000000006BA33000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399776148.000000006BAB9000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399838229.000000006BABA000.00000008.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399899159.000000006BABB000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399941065.000000006BACE000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3400013365.000000006BAD3000.00000020.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3400088024.000000006BAD6000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_6b700000_T2RIU3FpH6dczIGTG32vuvvE.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: _strlen
                                                                                                                                                                                                                                • String ID: ..\..\third_party\libc++\src\include\string_view:267: assertion __s != nullptr failed: null pointer passed to non-null argument of char_traits<...>::length$..\..\third_party\libc++\src\include\string_view:314: assertion __len <= static_cast<size_type>(numeric_limits<difference_type>::max()) failed: string_view::string_view(_CharT *, size_t): length does not fit in difference_type$..\..\third_party\libc++\src\include\string_view:316: assertion __len == 0 || __s != nullptr failed: string_view::string_view(_CharT *, size_t): received nullptr$false
                                                                                                                                                                                                                                • API String ID: 4218353326-3383702859
                                                                                                                                                                                                                                • Opcode ID: cde5d95220bedd588a27d67448b62b716d77991d330e9d3ec6c6a8eeb98c3c77
                                                                                                                                                                                                                                • Instruction ID: b5c7effcc0ebf5711635ed6333594b422ab091d36380784b71ff27ddc9787f03
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: cde5d95220bedd588a27d67448b62b716d77991d330e9d3ec6c6a8eeb98c3c77
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: BB1125737443596FAF00AE6C6C40A5E77ACAE59A58B040875FE58C7300EB3AE84083E2
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 6B9B273E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,E0FB1D68,?,?,00000000,6BA323AF,000000FF,?,6B9B27FF,00000002,?,6B9B289B,6B9B8161), ref: 6B9B2773
                                                                                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6B9B2785
                                                                                                                                                                                                                                • FreeLibrary.KERNEL32(00000000,?,?,00000000,6BA323AF,000000FF,?,6B9B27FF,00000002,?,6B9B289B,6B9B8161), ref: 6B9B27A7
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.3399244269.000000006B701000.00000020.00000001.01000000.0000001D.sdmp, Offset: 6B700000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399188049.000000006B700000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399654118.000000006BA33000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399776148.000000006BAB9000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399838229.000000006BABA000.00000008.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399899159.000000006BABB000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399941065.000000006BACE000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3400013365.000000006BAD3000.00000020.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3400088024.000000006BAD6000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_6b700000_T2RIU3FpH6dczIGTG32vuvvE.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                                                                                • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                                                                                • API String ID: 4061214504-1276376045
                                                                                                                                                                                                                                • Opcode ID: 5af712ea0c50804b4f70ba32a05bea0df81923d7cdeabbdcdf3549718018d3a5
                                                                                                                                                                                                                                • Instruction ID: a8506f2da18991717321396220cb2e31421d111d5e61878afe92e4878b281ed2
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5af712ea0c50804b4f70ba32a05bea0df81923d7cdeabbdcdf3549718018d3a5
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 09014F31918729EFEF018F54CC48FAEBBB9FB05715F004627A821E26A0DB78D901CA94
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 6B9D9800 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 39COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • ___std_exception_destroy.LIBVCRUNTIME ref: 6B9D9840
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                • bad_variant_access.cc, xrefs: 6B9D981A
                                                                                                                                                                                                                                • bad_cast was thrown in -fno-exceptions mode, xrefs: 6B9D9803
                                                                                                                                                                                                                                • Bad variant access, xrefs: 6B9D9813
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.3399244269.000000006B701000.00000020.00000001.01000000.0000001D.sdmp, Offset: 6B700000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399188049.000000006B700000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399654118.000000006BA33000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399776148.000000006BAB9000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399838229.000000006BABA000.00000008.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399899159.000000006BABB000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399941065.000000006BACE000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3400013365.000000006BAD3000.00000020.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3400088024.000000006BAD6000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_6b700000_T2RIU3FpH6dczIGTG32vuvvE.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ___std_exception_destroy
                                                                                                                                                                                                                                • String ID: Bad variant access$bad_cast was thrown in -fno-exceptions mode$bad_variant_access.cc
                                                                                                                                                                                                                                • API String ID: 4194217158-1323337912
                                                                                                                                                                                                                                • Opcode ID: 5b7f870f1d4e49a16eca5ed01c4768cb4b77e8b1451394dcd92f3d146d0b75ee
                                                                                                                                                                                                                                • Instruction ID: d9171906460adcb225e29824400340eab39d60b7ce7053fda9a7f932cb82ad46
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5b7f870f1d4e49a16eca5ed01c4768cb4b77e8b1451394dcd92f3d146d0b75ee
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C6E02B6550420C37EA1436FAAC03E86765DDB3255CF808079FB0C4B602EAAFF64081F7
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 6B9D089C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • LoadLibraryExW.KERNEL32(?,00000000,00000800,?,6B9D0938,00000000,?,?,?,?,?,6B9D07F6,00000002,FlsGetValue,6BA38A18,6BA38A20), ref: 6B9D08A9
                                                                                                                                                                                                                                • GetLastError.KERNEL32(?,6B9D0938,00000000,?,?,?,?,?,6B9D07F6,00000002,FlsGetValue,6BA38A18,6BA38A20,00000000,?,6B9C17A4), ref: 6B9D08B3
                                                                                                                                                                                                                                • LoadLibraryExW.KERNEL32(?,00000000,00000000), ref: 6B9D08DB
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.3399244269.000000006B701000.00000020.00000001.01000000.0000001D.sdmp, Offset: 6B700000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399188049.000000006B700000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399654118.000000006BA33000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399776148.000000006BAB9000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399838229.000000006BABA000.00000008.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399899159.000000006BABB000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399941065.000000006BACE000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3400013365.000000006BAD3000.00000020.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3400088024.000000006BAD6000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_6b700000_T2RIU3FpH6dczIGTG32vuvvE.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: LibraryLoad$ErrorLast
                                                                                                                                                                                                                                • String ID: api-ms-
                                                                                                                                                                                                                                • API String ID: 3177248105-2084034818
                                                                                                                                                                                                                                • Opcode ID: d295e6b66c3de2dc7ef1b01c8e698375e089d6fc98f24d3829b31cffea4767da
                                                                                                                                                                                                                                • Instruction ID: c98041da9c97cbc52b65df2df8e0d5a52a6520e573485655e4f12990543e0c14
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d295e6b66c3de2dc7ef1b01c8e698375e089d6fc98f24d3829b31cffea4767da
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C6E01A30788704BBFF001FA2DC1AB493F68AB01B44F10C062F91DE80A1D7BBE951A695
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 6B9BC0C2 Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • GetConsoleOutputCP.KERNEL32(E0FB1D68,00000000,00000000,?), ref: 6B9BC125
                                                                                                                                                                                                                                  • Part of subcall function 6B9C999A: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6B9C34C4,?,00000000,-00000008), ref: 6B9C99FB
                                                                                                                                                                                                                                • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 6B9BC377
                                                                                                                                                                                                                                • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6B9BC3BD
                                                                                                                                                                                                                                • GetLastError.KERNEL32 ref: 6B9BC460
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.3399244269.000000006B701000.00000020.00000001.01000000.0000001D.sdmp, Offset: 6B700000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399188049.000000006B700000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399654118.000000006BA33000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399776148.000000006BAB9000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399838229.000000006BABA000.00000008.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399899159.000000006BABB000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399941065.000000006BACE000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3400013365.000000006BAD3000.00000020.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3400088024.000000006BAD6000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_6b700000_T2RIU3FpH6dczIGTG32vuvvE.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 2112829910-0
                                                                                                                                                                                                                                • Opcode ID: 4a4bad7f5fe392ba4439843b8b9e661e8075dc37d6f852b9a32e5dd7ab309af1
                                                                                                                                                                                                                                • Instruction ID: 452efa701826310cefb9808b1f2b6e998945586736784604830df03be08b99c8
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 4a4bad7f5fe392ba4439843b8b9e661e8075dc37d6f852b9a32e5dd7ab309af1
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 3AD158B5D042489FDF05CFA8C880AAEBBB9EF09714F14856AE465EB351D734E942CB60
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 6B965D00 Relevance: 6.1, APIs: 4, Instructions: 94COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • QueryPerformanceCounter.KERNEL32(?), ref: 6B965D3D
                                                                                                                                                                                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B965D7A
                                                                                                                                                                                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B965DBE
                                                                                                                                                                                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B965E22
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.3399244269.000000006B701000.00000020.00000001.01000000.0000001D.sdmp, Offset: 6B700000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399188049.000000006B700000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399654118.000000006BA33000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399776148.000000006BAB9000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399838229.000000006BABA000.00000008.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399899159.000000006BABB000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399941065.000000006BACE000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3400013365.000000006BAD3000.00000020.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3400088024.000000006BAD6000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_6b700000_T2RIU3FpH6dczIGTG32vuvvE.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$CounterPerformanceQuery
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 374826692-0
                                                                                                                                                                                                                                • Opcode ID: 73a1f3c8f0e1b136cac261a2214aafb07e473b69ff6bea613b03eb201f67806f
                                                                                                                                                                                                                                • Instruction ID: 2363cedd47ee9006cb80e2c0f65b07f339a12cd851a2a4327edd10bdc634525e
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 73a1f3c8f0e1b136cac261a2214aafb07e473b69ff6bea613b03eb201f67806f
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: BB315EB1608305AFD708DF68D99992BBBE9EBC9314F00882EF585C7261D774E844CB92
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 6B8DBDF0 Relevance: 6.1, APIs: 4, Instructions: 85COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • __Init_thread_header.LIBCMT ref: 6B8DBE19
                                                                                                                                                                                                                                  • Part of subcall function 6B9A33F7: EnterCriticalSection.KERNEL32(6BABCF68,?,?,?,6B9DD691,6BABFD80,?,6B9DD71A), ref: 6B9A3402
                                                                                                                                                                                                                                  • Part of subcall function 6B9A33F7: LeaveCriticalSection.KERNEL32(6BABCF68,?,6B9DD691,6BABFD80,?,6B9DD71A), ref: 6B9A343F
                                                                                                                                                                                                                                • __Init_thread_footer.LIBCMT ref: 6B8DBE48
                                                                                                                                                                                                                                  • Part of subcall function 6B9A346D: EnterCriticalSection.KERNEL32(6BABCF68,?,?,6B9DD6B4,6BABFD80), ref: 6B9A3477
                                                                                                                                                                                                                                  • Part of subcall function 6B9A346D: LeaveCriticalSection.KERNEL32(6BABCF68,?,6B9DD6B4,6BABFD80), ref: 6B9A34AA
                                                                                                                                                                                                                                  • Part of subcall function 6B9A346D: WakeAllConditionVariable.KERNEL32(?,6BABFD80), ref: 6B9A351D
                                                                                                                                                                                                                                • TryAcquireSRWLockExclusive.KERNEL32(00000000), ref: 6B8DBE7D
                                                                                                                                                                                                                                • ReleaseSRWLockExclusive.KERNEL32(00000000), ref: 6B8DBEA1
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.3399244269.000000006B701000.00000020.00000001.01000000.0000001D.sdmp, Offset: 6B700000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399188049.000000006B700000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399654118.000000006BA33000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399776148.000000006BAB9000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399838229.000000006BABA000.00000008.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399899159.000000006BABB000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399941065.000000006BACE000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3400013365.000000006BAD3000.00000020.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3400088024.000000006BAD6000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_6b700000_T2RIU3FpH6dczIGTG32vuvvE.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: CriticalSection$EnterExclusiveLeaveLock$AcquireConditionInit_thread_footerInit_thread_headerReleaseVariableWake
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1930009111-0
                                                                                                                                                                                                                                • Opcode ID: 27045236b851c75cbb9bd85e148ac3dc2ce59e8498a0c2ec495f6c96c33c3f11
                                                                                                                                                                                                                                • Instruction ID: b7847c12cca2109005b55c750f64b68aa5b5b310647b9e5d61f651324ba90561
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 27045236b851c75cbb9bd85e148ac3dc2ce59e8498a0c2ec495f6c96c33c3f11
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7D214DB2E083549BEF209F399802B5A37A1AB86719F44492EE60547340EF3DE502C7D3
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 6B963810 Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • __Init_thread_header.LIBCMT ref: 6B963885
                                                                                                                                                                                                                                • __Init_thread_footer.LIBCMT ref: 6B9638DA
                                                                                                                                                                                                                                • __Init_thread_header.LIBCMT ref: 6B9638EC
                                                                                                                                                                                                                                  • Part of subcall function 6B9A33F7: EnterCriticalSection.KERNEL32(6BABCF68,?,?,?,6B9DD691,6BABFD80,?,6B9DD71A), ref: 6B9A3402
                                                                                                                                                                                                                                  • Part of subcall function 6B9A33F7: LeaveCriticalSection.KERNEL32(6BABCF68,?,6B9DD691,6BABFD80,?,6B9DD71A), ref: 6B9A343F
                                                                                                                                                                                                                                • __Init_thread_footer.LIBCMT ref: 6B96392F
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.3399244269.000000006B701000.00000020.00000001.01000000.0000001D.sdmp, Offset: 6B700000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399188049.000000006B700000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399654118.000000006BA33000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399776148.000000006BAB9000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399838229.000000006BABA000.00000008.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399899159.000000006BABB000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399941065.000000006BACE000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3400013365.000000006BAD3000.00000020.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3400088024.000000006BAD6000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_6b700000_T2RIU3FpH6dczIGTG32vuvvE.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: CriticalInit_thread_footerInit_thread_headerSection$EnterLeave
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 2234156424-0
                                                                                                                                                                                                                                • Opcode ID: 9972bc4a738fea0ecfb9fc4bf77fa35424fc8616a9659bc53d6c3f6dda021926
                                                                                                                                                                                                                                • Instruction ID: b952b381b40031c6df99d5bcfcc78971214ba63d04f8cfa3d836e4da2908ea68
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 9972bc4a738fea0ecfb9fc4bf77fa35424fc8616a9659bc53d6c3f6dda021926
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8631C4F0988600CFD732DF7CC845B5A77B8F7067A5F008169D52A4B341E739E842CA96
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 6B905FC0 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 39COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                • Free, xrefs: 6B905FFC
                                                                                                                                                                                                                                • CloseHandle, xrefs: 6B906019
                                                                                                                                                                                                                                • ..\..\third_party\crashpad\crashpad\util\win\scoped_handle.cc, xrefs: 6B905FF7
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.3399244269.000000006B701000.00000020.00000001.01000000.0000001D.sdmp, Offset: 6B700000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399188049.000000006B700000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399654118.000000006BA33000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399776148.000000006BAB9000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399838229.000000006BABA000.00000008.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399899159.000000006BABB000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399941065.000000006BACE000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3400013365.000000006BAD3000.00000020.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3400088024.000000006BAD6000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_6b700000_T2RIU3FpH6dczIGTG32vuvvE.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: CloseHandle
                                                                                                                                                                                                                                • String ID: ..\..\third_party\crashpad\crashpad\util\win\scoped_handle.cc$CloseHandle$Free
                                                                                                                                                                                                                                • API String ID: 2962429428-1704384866
                                                                                                                                                                                                                                • Opcode ID: 0a91fc3d69bf0f710fd7a806a298daf3e76b021892bd354535adc9457a6ca69f
                                                                                                                                                                                                                                • Instruction ID: f0dc3b0bfd84593cf04651183be19b6dccf6cd968fcefa39b89c363eb38617a7
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 0a91fc3d69bf0f710fd7a806a298daf3e76b021892bd354535adc9457a6ca69f
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 49F0F671E00318678F10AE7A9C46DBF3B38AF96608B44405DE91527242DF3CA51587F1
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 6B9D237E Relevance: 6.0, APIs: 4, Instructions: 29COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • WriteConsoleW.KERNEL32(?,?,?,00000000,?,?,6B9CBDA2,?,00000001,?,?,?,6B9BC4B4,?,00000000,00000000), ref: 6B9D2395
                                                                                                                                                                                                                                • GetLastError.KERNEL32(?,6B9CBDA2,?,00000001,?,?,?,6B9BC4B4,?,00000000,00000000,?,?,?,6B9BBDFA,?), ref: 6B9D23A1
                                                                                                                                                                                                                                  • Part of subcall function 6B9D2400: CloseHandle.KERNEL32(FFFFFFFE,6B9D23B1,?,6B9CBDA2,?,00000001,?,?,?,6B9BC4B4,?,00000000,00000000,?,?), ref: 6B9D2410
                                                                                                                                                                                                                                • ___initconout.LIBCMT ref: 6B9D23B1
                                                                                                                                                                                                                                  • Part of subcall function 6B9D23D3: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6B9D236F,6B9CBD8F,?,?,6B9BC4B4,?,00000000,00000000,?), ref: 6B9D23E6
                                                                                                                                                                                                                                • WriteConsoleW.KERNEL32(?,?,?,00000000,?,6B9CBDA2,?,00000001,?,?,?,6B9BC4B4,?,00000000,00000000,?), ref: 6B9D23C6
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.3399244269.000000006B701000.00000020.00000001.01000000.0000001D.sdmp, Offset: 6B700000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399188049.000000006B700000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399654118.000000006BA33000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399776148.000000006BAB9000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399838229.000000006BABA000.00000008.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399899159.000000006BABB000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399941065.000000006BACE000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3400013365.000000006BAD3000.00000020.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3400088024.000000006BAD6000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_6b700000_T2RIU3FpH6dczIGTG32vuvvE.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 2744216297-0
                                                                                                                                                                                                                                • Opcode ID: 6da857ab08379a8b6d3d0abeea202dcba34a1ecefb4bfc9622462d5086e26c6b
                                                                                                                                                                                                                                • Instruction ID: f0d1489a373e39e1601d34b967317d5c9810813ae1f71c5844534483c29630b3
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 6da857ab08379a8b6d3d0abeea202dcba34a1ecefb4bfc9622462d5086e26c6b
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8CF01236504B14BBDF221FA1CD04989BF66EF46765B008010FA2995130C635C861EBA1
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 6B9A34B7 Relevance: 6.0, APIs: 4, Instructions: 25COMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • SleepConditionVariableCS.KERNELBASE(?,6B9A341C,00000064), ref: 6B9A34DA
                                                                                                                                                                                                                                • LeaveCriticalSection.KERNEL32(6BABCF68,?,?,6B9A341C,00000064,?,6B9DD691,6BABFD80,?,6B9DD71A), ref: 6B9A34E4
                                                                                                                                                                                                                                • WaitForSingleObjectEx.KERNEL32(?,00000000,?,6B9A341C,00000064,?,6B9DD691,6BABFD80,?,6B9DD71A), ref: 6B9A34F5
                                                                                                                                                                                                                                • EnterCriticalSection.KERNEL32(6BABCF68,?,6B9A341C,00000064,?,6B9DD691,6BABFD80,?,6B9DD71A), ref: 6B9A34FC
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.3399244269.000000006B701000.00000020.00000001.01000000.0000001D.sdmp, Offset: 6B700000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399188049.000000006B700000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399654118.000000006BA33000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399776148.000000006BAB9000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399838229.000000006BABA000.00000008.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399899159.000000006BABB000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399941065.000000006BACE000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3400013365.000000006BAD3000.00000020.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3400088024.000000006BAD6000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_6b700000_T2RIU3FpH6dczIGTG32vuvvE.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 3269011525-0
                                                                                                                                                                                                                                • Opcode ID: e2b66338374a63d3513f711a11354edb43535e94f143d710a901b7a832cbb34a
                                                                                                                                                                                                                                • Instruction ID: b6e391b606dd92d6c736e11dd3c2a9956f5443627a47d97315ae52e72d05ed58
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e2b66338374a63d3513f711a11354edb43535e94f143d710a901b7a832cbb34a
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D4E06D32549328ABDF021F74CC08D9D3E29BB0BA51B0080A9F925561209675D856CBE0
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 6B9C7327 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 191COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                  • Part of subcall function 6B9C355A: GetLastError.KERNEL32(00000000,?,6B9BFC5D), ref: 6B9C355E
                                                                                                                                                                                                                                  • Part of subcall function 6B9C355A: SetLastError.KERNEL32(00000000,?,?,00000016,6B9A8A7B), ref: 6B9C3600
                                                                                                                                                                                                                                • GetACP.KERNEL32(?,?,?,?,?,?,6B9B341C,?,?,?,?,?,-00000050,?,?,?), ref: 6B9C73E6
                                                                                                                                                                                                                                • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,6B9B341C,?,?,?,?,?,-00000050,?,?), ref: 6B9C741D
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.3399244269.000000006B701000.00000020.00000001.01000000.0000001D.sdmp, Offset: 6B700000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399188049.000000006B700000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399654118.000000006BA33000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399776148.000000006BAB9000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399838229.000000006BABA000.00000008.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399899159.000000006BABB000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399941065.000000006BACE000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3400013365.000000006BAD3000.00000020.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3400088024.000000006BAD6000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_6b700000_T2RIU3FpH6dczIGTG32vuvvE.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ErrorLast$CodePageValid
                                                                                                                                                                                                                                • String ID: utf8
                                                                                                                                                                                                                                • API String ID: 943130320-905460609
                                                                                                                                                                                                                                • Opcode ID: ab4e7710315fb495e40e9fa088f8a5acb073bad55f95a69f04bb3f6041af4b86
                                                                                                                                                                                                                                • Instruction ID: b8669b5123b43c8764762b29fcd516b7d643408f37f7adea764280e2b6edafaa
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ab4e7710315fb495e40e9fa088f8a5acb073bad55f95a69f04bb3f6041af4b86
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4251F671B04301ABE715AB75CC82BA777ACEF45749F00096AE925D70C1E77CE94086A3
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 6B8D9550 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 164COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • TryAcquireSRWLockExclusive.KERNEL32(00000000,?,?,?,00000000,?,00000000,?,6B86EF8F,00000000,00000000), ref: 6B8D9566
                                                                                                                                                                                                                                • ReleaseSRWLockExclusive.KERNEL32(?,..\..\third_party\libc++\src\include\__memory\construct_at.h:40: assertion __location != nullptr failed: null pointer given to construct_at,6BA9BC04,?,?,?,00000000,?,00000000,?,6B86EF8F,00000000,00000000), ref: 6B8D96C0
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                • ..\..\third_party\libc++\src\include\__memory\construct_at.h:40: assertion __location != nullptr failed: null pointer given to construct_at, xrefs: 6B8D96F5
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.3399244269.000000006B701000.00000020.00000001.01000000.0000001D.sdmp, Offset: 6B700000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399188049.000000006B700000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399654118.000000006BA33000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399776148.000000006BAB9000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399838229.000000006BABA000.00000008.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399899159.000000006BABB000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399941065.000000006BACE000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3400013365.000000006BAD3000.00000020.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3400088024.000000006BAD6000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_6b700000_T2RIU3FpH6dczIGTG32vuvvE.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ExclusiveLock$AcquireRelease
                                                                                                                                                                                                                                • String ID: ..\..\third_party\libc++\src\include\__memory\construct_at.h:40: assertion __location != nullptr failed: null pointer given to construct_at
                                                                                                                                                                                                                                • API String ID: 17069307-2888085009
                                                                                                                                                                                                                                • Opcode ID: e5d7528caf6f6529b518660116394c16fda7551e608825b7a1a998ad94c90dab
                                                                                                                                                                                                                                • Instruction ID: 2feea43cb20ca7fb1a0714e256f6ff99c1b82719ee39f0286a5c91926a4da082
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e5d7528caf6f6529b518660116394c16fda7551e608825b7a1a998ad94c90dab
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0E518CB1A04209EFDB04CF68D89095AB7F5FF497187014A6AE819EB342E734ED11CBA1
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 6B979DC0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30libraryloaderCOMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • GetModuleHandleW.KERNEL32(00000000,?,6B9656DE,00000000,?,00000000,?,6B86F010,00000000), ref: 6B979DD4
                                                                                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,GetHandleVerifier), ref: 6B979DE0
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.3399244269.000000006B701000.00000020.00000001.01000000.0000001D.sdmp, Offset: 6B700000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399188049.000000006B700000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399654118.000000006BA33000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399776148.000000006BAB9000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399838229.000000006BABA000.00000008.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399899159.000000006BABB000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399941065.000000006BACE000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3400013365.000000006BAD3000.00000020.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3400088024.000000006BAD6000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_6b700000_T2RIU3FpH6dczIGTG32vuvvE.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: AddressHandleModuleProc
                                                                                                                                                                                                                                • String ID: GetHandleVerifier
                                                                                                                                                                                                                                • API String ID: 1646373207-1090674830
                                                                                                                                                                                                                                • Opcode ID: 01fd5f25181b89d11f853bba1bc2bb6f1be686a383bb6c25fc9e122f116c29dd
                                                                                                                                                                                                                                • Instruction ID: 348333957d20257ce0bf95750d086c7c844a3f545b6ed6deb8ce6922ff462f0d
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 01fd5f25181b89d11f853bba1bc2bb6f1be686a383bb6c25fc9e122f116c29dd
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: AFE039312A8304BFFE603B688C4BF253ADEE707B01F504C75B521C6192EBA8D44582B1
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 6B8DBA90 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29libraryloaderCOMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 6B8DBA9E
                                                                                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,GetHandleVerifier), ref: 6B8DBAAA
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.3399244269.000000006B701000.00000020.00000001.01000000.0000001D.sdmp, Offset: 6B700000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399188049.000000006B700000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399654118.000000006BA33000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399776148.000000006BAB9000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399838229.000000006BABA000.00000008.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399899159.000000006BABB000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3399941065.000000006BACE000.00000004.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3400013365.000000006BAD3000.00000020.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000E.00000002.3400088024.000000006BAD6000.00000002.00000001.01000000.0000001D.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_6b700000_T2RIU3FpH6dczIGTG32vuvvE.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: AddressHandleModuleProc
                                                                                                                                                                                                                                • String ID: GetHandleVerifier
                                                                                                                                                                                                                                • API String ID: 1646373207-1090674830
                                                                                                                                                                                                                                • Opcode ID: 43661da20217a81926615bed4eabf425289401b275be00e2355703ce90d7cbac
                                                                                                                                                                                                                                • Instruction ID: d94a308915b01f582fe1d29e7a78850310215d49595881c3a7fb027507c13274
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 43661da20217a81926615bed4eabf425289401b275be00e2355703ce90d7cbac
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: CFE09235699388AFFE402B758C0AF253798B706B01F404C26F611C71D0EBA8E4458220
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Execution Graph

                                                                                                                                                                                                                                Execution Coverage:0.5%
                                                                                                                                                                                                                                Dynamic/Decrypted Code Coverage:78.1%
                                                                                                                                                                                                                                Signature Coverage:0%
                                                                                                                                                                                                                                Total number of Nodes:32
                                                                                                                                                                                                                                Total number of Limit Nodes:4
                                                                                                                                                                                                                                execution_graph 37937 2ed003c 37938 2ed0049 37937->37938 37948 2ed0e0f SetErrorMode SetErrorMode 37938->37948 37943 2ed0265 37944 2ed02ce VirtualProtect 37943->37944 37946 2ed030b 37944->37946 37945 2ed0439 VirtualFree 37947 2ed04be 37945->37947 37946->37945 37949 2ed0223 37948->37949 37950 2ed0d90 37949->37950 37951 2ed0dad 37950->37951 37952 2ed0dbb GetPEB 37951->37952 37953 2ed0238 VirtualAlloc 37951->37953 37952->37953 37953->37943 37954 2faee16 37955 2faee25 37954->37955 37958 2faf5b6 37955->37958 37959 2faf5d1 37958->37959 37960 2faf5da CreateToolhelp32Snapshot 37959->37960 37961 2faf5f6 Module32First 37959->37961 37960->37959 37960->37961 37962 2faee2e 37961->37962 37963 2faf605 37961->37963 37965 2faf275 37963->37965 37966 2faf2a0 37965->37966 37967 2faf2e9 37966->37967 37968 2faf2b1 VirtualAlloc 37966->37968 37967->37967 37968->37967 37969 4022ae 37970 4022c3 37969->37970 37972 4022ca 37969->37972 37972->37970 37973 40235c 37972->37973 37974 40230b 37972->37974 37973->37970 37977 40ea7d 65 API calls 2 library calls 37973->37977 37974->37970 37976 40dec7 28 API calls 7 library calls 37974->37976 37976->37970 37977->37970

                                                                                                                                                                                                                                Executed Functions

                                                                                                                                                                                                                                Function 02ED003C Relevance: 9.3, APIs: 3, Strings: 2, Instructions: 515memoryCOMMON
                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                control_flow_graph 0 2ed003c-2ed0047 1 2ed004c-2ed0263 call 2ed0a3f call 2ed0e0f call 2ed0d90 VirtualAlloc 0->1 2 2ed0049 0->2 17 2ed028b-2ed0292 1->17 18 2ed0265-2ed0289 call 2ed0a69 1->18 2->1 20 2ed02a1-2ed02b0 17->20 22 2ed02ce-2ed03c2 VirtualProtect call 2ed0cce call 2ed0ce7 18->22 20->22 23 2ed02b2-2ed02cc 20->23 29 2ed03d1-2ed03e0 22->29 23->20 30 2ed0439-2ed04b8 VirtualFree 29->30 31 2ed03e2-2ed0437 call 2ed0ce7 29->31 33 2ed04be-2ed04cd 30->33 34 2ed05f4-2ed05fe 30->34 31->29 38 2ed04d3-2ed04dd 33->38 35 2ed077f-2ed0789 34->35 36 2ed0604-2ed060d 34->36 42 2ed078b-2ed07a3 35->42 43 2ed07a6-2ed07b0 35->43 36->35 39 2ed0613-2ed0637 36->39 38->34 41 2ed04e3-2ed0505 38->41 46 2ed063e-2ed0648 39->46 50 2ed0517-2ed0520 41->50 51 2ed0507-2ed0515 41->51 42->43 44 2ed086e-2ed08f9 43->44 45 2ed07b6-2ed07cb 43->45 66 2ed08fb-2ed0901 44->66 67 2ed0902-2ed091d 44->67 47 2ed07d2-2ed07d5 45->47 46->35 48 2ed064e-2ed065a 46->48 52 2ed0824-2ed0833 47->52 53 2ed07d7-2ed07e0 47->53 48->35 54 2ed0660-2ed066a 48->54 56 2ed0526-2ed0547 50->56 51->56 60 2ed0839-2ed083c 52->60 57 2ed07e4-2ed0822 53->57 58 2ed07e2 53->58 59 2ed067a-2ed0689 54->59 62 2ed054d-2ed0550 56->62 57->47 58->52 63 2ed068f-2ed06b2 59->63 64 2ed0750-2ed077a 59->64 60->44 65 2ed083e-2ed0847 60->65 68 2ed0556-2ed056b 62->68 69 2ed05e0-2ed05ef 62->69 70 2ed06ef-2ed06fc 63->70 71 2ed06b4-2ed06ed 63->71 64->46 72 2ed0849 65->72 73 2ed084b-2ed086c 65->73 66->67 74 2ed056d 68->74 75 2ed056f-2ed057a 68->75 69->38 76 2ed06fe-2ed0748 70->76 77 2ed074b 70->77 71->70 72->44 73->60 74->69 79 2ed057c-2ed0599 75->79 80 2ed059b-2ed05bb 75->80 76->77 77->59 85 2ed05bd-2ed05db 79->85 80->85 85->62
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 02ED024D
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.3368165895.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_2ed0000_XEAazEoSTmJSOa66cXm6S07v.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: AllocVirtual
                                                                                                                                                                                                                                • String ID: cess$kernel32.dll
                                                                                                                                                                                                                                • API String ID: 4275171209-1230238691
                                                                                                                                                                                                                                • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                                                                                                                                                                • Instruction ID: c888ef0d310670c98a3f762550467d8ce2b93cc8046e61e9807fb0037b26c9d0
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C3526974A41229DFDB64CF68C984BACBBB1BF09314F1480D9E94DAB351DB30AA85CF14
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 02FAF5B6 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                control_flow_graph 86 2faf5b6-2faf5cf 87 2faf5d1-2faf5d3 86->87 88 2faf5da-2faf5e6 CreateToolhelp32Snapshot 87->88 89 2faf5d5 87->89 90 2faf5e8-2faf5ee 88->90 91 2faf5f6-2faf603 Module32First 88->91 89->88 90->91 98 2faf5f0-2faf5f4 90->98 92 2faf60c-2faf614 91->92 93 2faf605-2faf606 call 2faf275 91->93 96 2faf60b 93->96 96->92 98->87 98->91
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 02FAF5DE
                                                                                                                                                                                                                                • Module32First.KERNEL32(00000000,00000224), ref: 02FAF5FE
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.3375966593.0000000002FAE000.00000040.00000020.00020000.00000000.sdmp, Offset: 02FAE000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_2fae000_XEAazEoSTmJSOa66cXm6S07v.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: CreateFirstModule32SnapshotToolhelp32
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 3833638111-0
                                                                                                                                                                                                                                • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                                                                                                                                                                • Instruction ID: b82596e25b4c758e9b1a0ce36b6f48ef4ad123c3c066d3fcdda361a1c62d7b52
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1FF0F6716003107FD7303FF89C9CB6F76E8AF49264F100228E742D59C0CB71E8454A60
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 02ED0E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                control_flow_graph 99 2ed0e0f-2ed0e24 SetErrorMode * 2 100 2ed0e2b-2ed0e2c 99->100 101 2ed0e26 99->101 101->100
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • SetErrorMode.KERNELBASE(00000400,?,?,02ED0223,?,?), ref: 02ED0E19
                                                                                                                                                                                                                                • SetErrorMode.KERNELBASE(00000000,?,?,02ED0223,?,?), ref: 02ED0E1E
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.3368165895.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_2ed0000_XEAazEoSTmJSOa66cXm6S07v.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ErrorMode
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 2340568224-0
                                                                                                                                                                                                                                • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                                                                                                                                                                • Instruction ID: 2728ec6266eccd2df74ccad318daa4bcd13064fc6acaeedfbc78d4ad9a9bc59b
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 33D0123114512877DB002AA4DC09BCD7B1CDF05B66F048011FB0DD9080C770954146E5
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 02FAF275 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                control_flow_graph 102 2faf275-2faf2af call 2faf588 105 2faf2fd 102->105 106 2faf2b1-2faf2e4 VirtualAlloc call 2faf302 102->106 105->105 108 2faf2e9-2faf2fb 106->108 108->105
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 02FAF2C6
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.3375966593.0000000002FAE000.00000040.00000020.00020000.00000000.sdmp, Offset: 02FAE000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_2fae000_XEAazEoSTmJSOa66cXm6S07v.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: AllocVirtual
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 4275171209-0
                                                                                                                                                                                                                                • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                                                                                                                                                                • Instruction ID: 8b32162c2fe6a59ebdaa549e13d4b3de5f954c84e0529289cfb64ac0c5e66c18
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 9C113C79A00208EFDB01DF98C985E98BBF5EF08351F158094FA489B361D775EA50DF90
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Non-executed Functions

                                                                                                                                                                                                                                Function 0042086B Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 188COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                  • Part of subcall function 00416D19: GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
                                                                                                                                                                                                                                  • Part of subcall function 00416D19: _free.LIBCMT ref: 00416D50
                                                                                                                                                                                                                                  • Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D91
                                                                                                                                                                                                                                  • Part of subcall function 00416D19: _abort.LIBCMT ref: 00416D97
                                                                                                                                                                                                                                  • Part of subcall function 00416D19: _free.LIBCMT ref: 00416D78
                                                                                                                                                                                                                                  • Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D85
                                                                                                                                                                                                                                • GetUserDefaultLCID.KERNEL32 ref: 00420977
                                                                                                                                                                                                                                • IsValidCodePage.KERNEL32(00000000), ref: 004209D2
                                                                                                                                                                                                                                • IsValidLocale.KERNEL32(?,00000001), ref: 004209E1
                                                                                                                                                                                                                                • GetLocaleInfoW.KERNEL32(?,00001001,?,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 00420A29
                                                                                                                                                                                                                                • GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 00420A48
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.3312675882.0000000000400000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_XEAazEoSTmJSOa66cXm6S07v.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                                                                                                                                                                                                                • String ID: 0B
                                                                                                                                                                                                                                • API String ID: 745075371-4003747729
                                                                                                                                                                                                                                • Opcode ID: f8dfd3e45c7171820dfa425feb9c1a2a63e1685b7cd510425c95f259fcd5efdc
                                                                                                                                                                                                                                • Instruction ID: 650ebaacf82e858368a26b85c64588bb52e0d85139106dd20bcc8c2b817cb8b1
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f8dfd3e45c7171820dfa425feb9c1a2a63e1685b7cd510425c95f259fcd5efdc
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 475184B1B002259AEB20DFA5EC45BBF77F8AF04700F94046BE905E7253D7789984CB69
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 0041FF33 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 236COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                  • Part of subcall function 00416D19: GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
                                                                                                                                                                                                                                  • Part of subcall function 00416D19: _free.LIBCMT ref: 00416D50
                                                                                                                                                                                                                                  • Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D91
                                                                                                                                                                                                                                  • Part of subcall function 00416D19: _abort.LIBCMT ref: 00416D97
                                                                                                                                                                                                                                • IsValidCodePage.KERNEL32(00000000), ref: 00420015
                                                                                                                                                                                                                                • _wcschr.LIBVCRUNTIME ref: 004200A5
                                                                                                                                                                                                                                • _wcschr.LIBVCRUNTIME ref: 004200B3
                                                                                                                                                                                                                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,?,00000000,?), ref: 00420156
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.3312675882.0000000000400000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_XEAazEoSTmJSOa66cXm6S07v.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                                                                                                                                                                                                                • String ID: 0B
                                                                                                                                                                                                                                • API String ID: 4212172061-4003747729
                                                                                                                                                                                                                                • Opcode ID: a67f0c87ba5b0233321a1933dfd54815027aea6e1cb45a6db47d5a69fa3d4796
                                                                                                                                                                                                                                • Instruction ID: 96eb391d46ce5fb78e8006d1997cb9303ceaefbbeb856b82c66811b22ec73256
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a67f0c87ba5b0233321a1933dfd54815027aea6e1cb45a6db47d5a69fa3d4796
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: CD61F971700216AAE724AB35EC42BEB77E8EF04314F54403FF505D7282EA79E986C768
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 00420697 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002), ref: 00420730
                                                                                                                                                                                                                                • GetLocaleInfoW.KERNEL32(?,20001004,?,00000002), ref: 00420759
                                                                                                                                                                                                                                • GetACP.KERNEL32 ref: 0042076E
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.3312675882.0000000000400000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_XEAazEoSTmJSOa66cXm6S07v.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: InfoLocale
                                                                                                                                                                                                                                • String ID: ACP$OCP
                                                                                                                                                                                                                                • API String ID: 2299586839-711371036
                                                                                                                                                                                                                                • Opcode ID: 2f8ee967946dfbb9997fc3c3bc2472c999760cc1c46ecdade7a51e654396b61a
                                                                                                                                                                                                                                • Instruction ID: f807061c0cfb0377689ec6e1dc83ff6a27fcbbb4928d2f32a34ff3ed1f12855e
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 2f8ee967946dfbb9997fc3c3bc2472c999760cc1c46ecdade7a51e654396b61a
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D021D822B00125A7D7308F54E900A9BB3E6AFD0F50BD68076E90AD7312E736ED41CB58
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 02EF08FE Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002), ref: 02EF0997
                                                                                                                                                                                                                                • GetLocaleInfoW.KERNEL32(?,20001004,?,00000002), ref: 02EF09C0
                                                                                                                                                                                                                                • GetACP.KERNEL32 ref: 02EF09D5
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.3368165895.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_2ed0000_XEAazEoSTmJSOa66cXm6S07v.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: InfoLocale
                                                                                                                                                                                                                                • String ID: ACP$OCP
                                                                                                                                                                                                                                • API String ID: 2299586839-711371036
                                                                                                                                                                                                                                • Opcode ID: 2f8ee967946dfbb9997fc3c3bc2472c999760cc1c46ecdade7a51e654396b61a
                                                                                                                                                                                                                                • Instruction ID: e5948c2133b90ab2ddacd0bcff15ee9f77810f6984c865c815b2e5c5f31962e6
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 2f8ee967946dfbb9997fc3c3bc2472c999760cc1c46ecdade7a51e654396b61a
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0C21C922781101EAF7B18F55C800B9773A6ABE0E68B46D464EE49D710BF732D940C394
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 02EF0AD2 Relevance: 7.7, APIs: 5, Instructions: 188COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                  • Part of subcall function 02EE6F80: GetLastError.KERNEL32(?,?,02EDE697,?,?,?,02EDED94,?), ref: 02EE6F84
                                                                                                                                                                                                                                  • Part of subcall function 02EE6F80: _free.LIBCMT ref: 02EE6FB7
                                                                                                                                                                                                                                  • Part of subcall function 02EE6F80: SetLastError.KERNEL32(00000000), ref: 02EE6FF8
                                                                                                                                                                                                                                  • Part of subcall function 02EE6F80: _abort.LIBCMT ref: 02EE6FFE
                                                                                                                                                                                                                                  • Part of subcall function 02EE6F80: _free.LIBCMT ref: 02EE6FDF
                                                                                                                                                                                                                                  • Part of subcall function 02EE6F80: SetLastError.KERNEL32(00000000), ref: 02EE6FEC
                                                                                                                                                                                                                                • GetUserDefaultLCID.KERNEL32 ref: 02EF0BDE
                                                                                                                                                                                                                                • IsValidCodePage.KERNEL32(00000000), ref: 02EF0C39
                                                                                                                                                                                                                                • IsValidLocale.KERNEL32(?,00000001), ref: 02EF0C48
                                                                                                                                                                                                                                • GetLocaleInfoW.KERNEL32(?,00001001,?,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 02EF0C90
                                                                                                                                                                                                                                • GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 02EF0CAF
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.3368165895.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_2ed0000_XEAazEoSTmJSOa66cXm6S07v.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 745075371-0
                                                                                                                                                                                                                                • Opcode ID: f8dfd3e45c7171820dfa425feb9c1a2a63e1685b7cd510425c95f259fcd5efdc
                                                                                                                                                                                                                                • Instruction ID: b4c6db94c10d8e7c19692af81fc21136a5983208099019d4029a853f1e5d300d
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f8dfd3e45c7171820dfa425feb9c1a2a63e1685b7cd510425c95f259fcd5efdc
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: CE51A071A80215ABDF60DFA5CC50ABEB3B9FF04709F44D079EA14E7196EB709904CB61
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 004123A0 Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 464COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.3312675882.0000000000400000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_XEAazEoSTmJSOa66cXm6S07v.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID: y%B$y%B
                                                                                                                                                                                                                                • API String ID: 0-2510245575
                                                                                                                                                                                                                                • Opcode ID: 639d753ca5804acfb26a7323c6b70442fdf5003eed0a35c333bc141f8f4a1fb1
                                                                                                                                                                                                                                • Instruction ID: 7f81a5055d29d3c9b3a65b9dd9c97bea9b47a5c616e9cad61c519a63aba044dd
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 639d753ca5804acfb26a7323c6b70442fdf5003eed0a35c333bc141f8f4a1fb1
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F8024C71E002199FDF14CFA9D9806EEB7F1FF88314F25826AD819E7380D774AA518B94
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 02EF019A Relevance: 6.2, APIs: 4, Instructions: 236COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                  • Part of subcall function 02EE6F80: GetLastError.KERNEL32(?,?,02EDE697,?,?,?,02EDED94,?), ref: 02EE6F84
                                                                                                                                                                                                                                  • Part of subcall function 02EE6F80: _free.LIBCMT ref: 02EE6FB7
                                                                                                                                                                                                                                  • Part of subcall function 02EE6F80: SetLastError.KERNEL32(00000000), ref: 02EE6FF8
                                                                                                                                                                                                                                  • Part of subcall function 02EE6F80: _abort.LIBCMT ref: 02EE6FFE
                                                                                                                                                                                                                                • IsValidCodePage.KERNEL32(00000000), ref: 02EF027C
                                                                                                                                                                                                                                • _wcschr.LIBVCRUNTIME ref: 02EF030C
                                                                                                                                                                                                                                • _wcschr.LIBVCRUNTIME ref: 02EF031A
                                                                                                                                                                                                                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,?,00000000,?), ref: 02EF03BD
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.3368165895.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_2ed0000_XEAazEoSTmJSOa66cXm6S07v.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 4212172061-0
                                                                                                                                                                                                                                • Opcode ID: a67f0c87ba5b0233321a1933dfd54815027aea6e1cb45a6db47d5a69fa3d4796
                                                                                                                                                                                                                                • Instruction ID: 135f0f8f946295d1929c79352db1b1d8749df856136c649ad0cd7bfc14767353
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a67f0c87ba5b0233321a1933dfd54815027aea6e1cb45a6db47d5a69fa3d4796
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1C611C72685206ABEB64AB74CC41BBB73ACEF04304F14D069FB09D7186EB70E940CB60
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 00411F6A Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                control_flow_graph 2947 411f6a-411fa1 2948 411fa7-411faf 2947->2948 2949 4122bb-4122c3 2947->2949 2952 411fb1-411fc7 call 41b14e 2948->2952 2953 411fcd-411fcf 2948->2953 2950 4122c5 2949->2950 2951 4122c8-4122f0 2949->2951 2950->2951 2955 4122f7-412307 call 4097a5 2951->2955 2952->2953 2960 412288-4122ad call 41629a * 4 2952->2960 2954 411fd1 call 41704e 2953->2954 2957 411fd6-411fe6 call 41629a 2954->2957 2966 411fe7 call 41704e 2957->2966 2979 4122ae-4122b9 call 41629a 2960->2979 2968 411fec-411ff7 call 41629a 2966->2968 2974 411ff8 call 41704e 2968->2974 2976 411ffd-412008 call 41629a 2974->2976 2982 412009 call 41704e 2976->2982 2979->2955 2984 41200e-412019 call 41629a 2982->2984 2987 41201e call 41704e 2984->2987 2988 412023-412034 call 41629a 2987->2988 2988->2960 2991 41203a-41203d 2988->2991 2991->2960 2992 412043-412045 2991->2992 2992->2960 2993 41204b-41204e 2992->2993 2993->2960 2994 412054-412057 2993->2994 2994->2960 2995 41205d 2994->2995 2996 41205f-412068 2995->2996 2996->2996 2997 41206a-412079 GetCPInfo 2996->2997 2997->2960 2998 41207f-412085 2997->2998 2998->2960 2999 41208b-4120bf call 41695c 2998->2999 2999->2960 3002 4120c5-4120f3 call 41695c 2999->3002 3002->2960 3005 4120f9-4120fd 3002->3005 3006 41212a-41214d call 41b300 3005->3006 3007 4120ff-412102 3005->3007 3006->2960 3013 412153-412187 3006->3013 3007->3006 3008 412104 3007->3008 3010 412107-41210b 3008->3010 3010->3006 3012 41210d-412114 3010->3012 3014 41211e-412120 3012->3014 3015 4121c9-412206 3013->3015 3016 412189-41218c 3013->3016 3020 412122-412128 3014->3020 3021 412116-41211b 3014->3021 3018 412251-412286 3015->3018 3019 412208-41220f 3015->3019 3016->3015 3017 41218e 3016->3017 3022 412191-412195 3017->3022 3018->2979 3019->3018 3023 412211-41224e call 41629a * 4 3019->3023 3020->3006 3020->3010 3021->3014 3024 412197-4121a0 3022->3024 3025 4121c6 3022->3025 3023->3018 3027 4121a2-4121a8 3024->3027 3028 4121be-4121c4 3024->3028 3025->3015 3030 4121ab-4121bc 3027->3030 3028->3022 3028->3025 3030->3028 3030->3030
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.3312675882.0000000000400000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_XEAazEoSTmJSOa66cXm6S07v.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: _free$Info
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 2509303402-0
                                                                                                                                                                                                                                • Opcode ID: 9d037bec24c39842fdb41d63d06b61860568da7267ea86be451b4e4681316e80
                                                                                                                                                                                                                                • Instruction ID: 8ae6142132af87c7e5682a7a588f5480999d86aced5f895244e8bf3117bae5a7
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 9d037bec24c39842fdb41d63d06b61860568da7267ea86be451b4e4681316e80
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0DB1C171900309AFDB10DF65C881BEEBBF5BF48304F14416EF959E7242D7B9A8918B64
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 02EE21D1 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                control_flow_graph 3037 2ee21d1-2ee2208 3038 2ee220e-2ee2216 3037->3038 3039 2ee2522-2ee252a 3037->3039 3040 2ee2218-2ee222e call 2eeb3b5 3038->3040 3041 2ee2234-2ee229b call 2ee72b5 call 2ee6501 call 2ee72b5 call 2ee6501 call 2ee72b5 call 2ee6501 call 2ee72b5 call 2ee6501 call 2ee72b5 call 2ee6501 3038->3041 3042 2ee252f-2ee2557 3039->3042 3043 2ee252c 3039->3043 3040->3041 3050 2ee24ef-2ee2514 call 2ee6501 * 4 3040->3050 3041->3050 3081 2ee22a1-2ee22a4 3041->3081 3046 2ee255e-2ee256e call 2ed9a0c 3042->3046 3043->3042 3069 2ee2515-2ee2520 call 2ee6501 3050->3069 3069->3046 3081->3050 3082 2ee22aa-2ee22ac 3081->3082 3082->3050 3083 2ee22b2-2ee22b5 3082->3083 3083->3050 3084 2ee22bb-2ee22be 3083->3084 3084->3050 3085 2ee22c4 3084->3085 3086 2ee22c6-2ee22cf 3085->3086 3086->3086 3087 2ee22d1-2ee22e0 GetCPInfo 3086->3087 3087->3050 3088 2ee22e6-2ee22ec 3087->3088 3088->3050 3089 2ee22f2-2ee2326 call 2ee6bc3 3088->3089 3089->3050 3092 2ee232c-2ee235a call 2ee6bc3 3089->3092 3092->3050 3095 2ee2360-2ee2364 3092->3095 3096 2ee2366-2ee2369 3095->3096 3097 2ee2391-2ee23b4 call 2eeb567 3095->3097 3096->3097 3098 2ee236b 3096->3098 3097->3050 3102 2ee23ba-2ee23ee 3097->3102 3101 2ee236e-2ee2372 3098->3101 3101->3097 3103 2ee2374-2ee237b 3101->3103 3104 2ee2430-2ee246d 3102->3104 3105 2ee23f0-2ee23f3 3102->3105 3106 2ee2385-2ee2387 3103->3106 3108 2ee246f-2ee2476 3104->3108 3109 2ee24b8-2ee24ed 3104->3109 3105->3104 3107 2ee23f5 3105->3107 3110 2ee237d-2ee2382 3106->3110 3111 2ee2389-2ee238f 3106->3111 3112 2ee23f8-2ee23fc 3107->3112 3108->3109 3113 2ee2478-2ee24b5 call 2ee6501 * 4 3108->3113 3109->3069 3110->3106 3111->3097 3111->3101 3114 2ee23fe-2ee2407 3112->3114 3115 2ee242d 3112->3115 3113->3109 3117 2ee2409-2ee240f 3114->3117 3118 2ee2425-2ee242b 3114->3118 3115->3104 3120 2ee2412-2ee2423 3117->3120 3118->3112 3118->3115 3120->3118 3120->3120
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.3368165895.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_2ed0000_XEAazEoSTmJSOa66cXm6S07v.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: _free$Info
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 2509303402-0
                                                                                                                                                                                                                                • Opcode ID: e97052e7d5d39c2e49c6ef11ebcd5deb8362bed3d67f9f3722abe09ca1aa8c7f
                                                                                                                                                                                                                                • Instruction ID: ceb527e763ee62eba296cb5e95a756e7f38d103a0fc678c7c241bd248c98a16e
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e97052e7d5d39c2e49c6ef11ebcd5deb8362bed3d67f9f3722abe09ca1aa8c7f
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: FBB1A0719402059FDF21DFB5C880BEEBBF9BF08308F149469FA9AA7241DB7598458F60
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 0041F521 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                control_flow_graph 3145 41f521-41f535 3146 41f5a3-41f5ab 3145->3146 3147 41f537-41f53c 3145->3147 3148 41f5f2-41f60a call 41f694 3146->3148 3149 41f5ad-41f5b0 3146->3149 3147->3146 3150 41f53e-41f543 3147->3150 3157 41f60d-41f614 3148->3157 3149->3148 3151 41f5b2-41f5ef call 41629a * 4 3149->3151 3150->3146 3153 41f545-41f548 3150->3153 3151->3148 3153->3146 3156 41f54a-41f552 3153->3156 3158 41f554-41f557 3156->3158 3159 41f56c-41f574 3156->3159 3161 41f633-41f637 3157->3161 3162 41f616-41f61a 3157->3162 3158->3159 3163 41f559-41f56b call 41629a call 41e8b4 3158->3163 3164 41f576-41f579 3159->3164 3165 41f58e-41f5a2 call 41629a * 2 3159->3165 3172 41f639-41f63e 3161->3172 3173 41f64f-41f65b 3161->3173 3167 41f630 3162->3167 3168 41f61c-41f61f 3162->3168 3163->3159 3164->3165 3170 41f57b-41f58d call 41629a call 41ed6e 3164->3170 3165->3146 3167->3161 3168->3167 3176 41f621-41f62f call 41629a * 2 3168->3176 3170->3165 3180 41f640-41f643 3172->3180 3181 41f64c 3172->3181 3173->3157 3175 41f65d-41f66a call 41629a 3173->3175 3176->3167 3180->3181 3189 41f645-41f64b call 41629a 3180->3189 3181->3173 3189->3181
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • ___free_lconv_mon.LIBCMT ref: 0041F565
                                                                                                                                                                                                                                  • Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E8D1
                                                                                                                                                                                                                                  • Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E8E3
                                                                                                                                                                                                                                  • Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E8F5
                                                                                                                                                                                                                                  • Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E907
                                                                                                                                                                                                                                  • Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E919
                                                                                                                                                                                                                                  • Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E92B
                                                                                                                                                                                                                                  • Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E93D
                                                                                                                                                                                                                                  • Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E94F
                                                                                                                                                                                                                                  • Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E961
                                                                                                                                                                                                                                  • Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E973
                                                                                                                                                                                                                                  • Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E985
                                                                                                                                                                                                                                  • Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E997
                                                                                                                                                                                                                                  • Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E9A9
                                                                                                                                                                                                                                • _free.LIBCMT ref: 0041F55A
                                                                                                                                                                                                                                  • Part of subcall function 0041629A: HeapFree.KERNEL32(00000000,00000000,?,0041F021,?,00000000,?,00000000,?,0041F2C5,?,00000007,?,?,0041F6B9,?), ref: 004162B0
                                                                                                                                                                                                                                  • Part of subcall function 0041629A: GetLastError.KERNEL32(?,?,0041F021,?,00000000,?,00000000,?,0041F2C5,?,00000007,?,?,0041F6B9,?,?), ref: 004162C2
                                                                                                                                                                                                                                • _free.LIBCMT ref: 0041F57C
                                                                                                                                                                                                                                • _free.LIBCMT ref: 0041F591
                                                                                                                                                                                                                                • _free.LIBCMT ref: 0041F59C
                                                                                                                                                                                                                                • _free.LIBCMT ref: 0041F5BE
                                                                                                                                                                                                                                • _free.LIBCMT ref: 0041F5D1
                                                                                                                                                                                                                                • _free.LIBCMT ref: 0041F5DF
                                                                                                                                                                                                                                • _free.LIBCMT ref: 0041F5EA
                                                                                                                                                                                                                                • _free.LIBCMT ref: 0041F622
                                                                                                                                                                                                                                • _free.LIBCMT ref: 0041F629
                                                                                                                                                                                                                                • _free.LIBCMT ref: 0041F646
                                                                                                                                                                                                                                • _free.LIBCMT ref: 0041F65E
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.3312675882.0000000000400000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_XEAazEoSTmJSOa66cXm6S07v.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 161543041-0
                                                                                                                                                                                                                                • Opcode ID: b9175880c53cb61b75c7f783674dde5ef8178fe79d68c96236a7112e5c5498ca
                                                                                                                                                                                                                                • Instruction ID: 316693fb469aea39a39253a8fd8e6cc64fc1a93db8be5688e07109e7d5df04fe
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: b9175880c53cb61b75c7f783674dde5ef8178fe79d68c96236a7112e5c5498ca
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 33316C71500700AFEB20AE7AE845BD773E9FF44318F15446BE849D7262DA79ECC68A18
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 02EEF788 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                control_flow_graph 3202 2eef788-2eef79c 3203 2eef79e-2eef7a3 3202->3203 3204 2eef80a-2eef812 3202->3204 3203->3204 3205 2eef7a5-2eef7aa 3203->3205 3206 2eef859-2eef871 call 2eef8fb 3204->3206 3207 2eef814-2eef817 3204->3207 3205->3204 3208 2eef7ac-2eef7af 3205->3208 3216 2eef874-2eef87b 3206->3216 3207->3206 3210 2eef819-2eef856 call 2ee6501 * 4 3207->3210 3208->3204 3211 2eef7b1-2eef7b9 3208->3211 3210->3206 3214 2eef7bb-2eef7be 3211->3214 3215 2eef7d3-2eef7db 3211->3215 3214->3215 3221 2eef7c0-2eef7d2 call 2ee6501 call 2eeeb1b 3214->3221 3218 2eef7dd-2eef7e0 3215->3218 3219 2eef7f5-2eef809 call 2ee6501 * 2 3215->3219 3222 2eef87d-2eef881 3216->3222 3223 2eef89a-2eef89e 3216->3223 3218->3219 3224 2eef7e2-2eef7f4 call 2ee6501 call 2eeefd5 3218->3224 3219->3204 3221->3215 3230 2eef897 3222->3230 3231 2eef883-2eef886 3222->3231 3226 2eef8b6-2eef8c2 3223->3226 3227 2eef8a0-2eef8a5 3223->3227 3224->3219 3226->3216 3237 2eef8c4-2eef8d1 call 2ee6501 3226->3237 3234 2eef8a7-2eef8aa 3227->3234 3235 2eef8b3 3227->3235 3230->3223 3231->3230 3239 2eef888-2eef896 call 2ee6501 * 2 3231->3239 3234->3235 3242 2eef8ac-2eef8b2 call 2ee6501 3234->3242 3235->3226 3239->3230 3242->3235
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • ___free_lconv_mon.LIBCMT ref: 02EEF7CC
                                                                                                                                                                                                                                  • Part of subcall function 02EEEB1B: _free.LIBCMT ref: 02EEEB38
                                                                                                                                                                                                                                  • Part of subcall function 02EEEB1B: _free.LIBCMT ref: 02EEEB4A
                                                                                                                                                                                                                                  • Part of subcall function 02EEEB1B: _free.LIBCMT ref: 02EEEB5C
                                                                                                                                                                                                                                  • Part of subcall function 02EEEB1B: _free.LIBCMT ref: 02EEEB6E
                                                                                                                                                                                                                                  • Part of subcall function 02EEEB1B: _free.LIBCMT ref: 02EEEB80
                                                                                                                                                                                                                                  • Part of subcall function 02EEEB1B: _free.LIBCMT ref: 02EEEB92
                                                                                                                                                                                                                                  • Part of subcall function 02EEEB1B: _free.LIBCMT ref: 02EEEBA4
                                                                                                                                                                                                                                  • Part of subcall function 02EEEB1B: _free.LIBCMT ref: 02EEEBB6
                                                                                                                                                                                                                                  • Part of subcall function 02EEEB1B: _free.LIBCMT ref: 02EEEBC8
                                                                                                                                                                                                                                  • Part of subcall function 02EEEB1B: _free.LIBCMT ref: 02EEEBDA
                                                                                                                                                                                                                                  • Part of subcall function 02EEEB1B: _free.LIBCMT ref: 02EEEBEC
                                                                                                                                                                                                                                  • Part of subcall function 02EEEB1B: _free.LIBCMT ref: 02EEEBFE
                                                                                                                                                                                                                                  • Part of subcall function 02EEEB1B: _free.LIBCMT ref: 02EEEC10
                                                                                                                                                                                                                                • _free.LIBCMT ref: 02EEF7C1
                                                                                                                                                                                                                                  • Part of subcall function 02EE6501: HeapFree.KERNEL32(00000000,00000000,?,02EEF288,?,00000000,?,00000000,?,02EEF52C,?,00000007,?,?,02EEF920,?), ref: 02EE6517
                                                                                                                                                                                                                                  • Part of subcall function 02EE6501: GetLastError.KERNEL32(?,?,02EEF288,?,00000000,?,00000000,?,02EEF52C,?,00000007,?,?,02EEF920,?,?), ref: 02EE6529
                                                                                                                                                                                                                                • _free.LIBCMT ref: 02EEF7E3
                                                                                                                                                                                                                                • _free.LIBCMT ref: 02EEF7F8
                                                                                                                                                                                                                                • _free.LIBCMT ref: 02EEF803
                                                                                                                                                                                                                                • _free.LIBCMT ref: 02EEF825
                                                                                                                                                                                                                                • _free.LIBCMT ref: 02EEF838
                                                                                                                                                                                                                                • _free.LIBCMT ref: 02EEF846
                                                                                                                                                                                                                                • _free.LIBCMT ref: 02EEF851
                                                                                                                                                                                                                                • _free.LIBCMT ref: 02EEF889
                                                                                                                                                                                                                                • _free.LIBCMT ref: 02EEF890
                                                                                                                                                                                                                                • _free.LIBCMT ref: 02EEF8AD
                                                                                                                                                                                                                                • _free.LIBCMT ref: 02EEF8C5
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.3368165895.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_2ed0000_XEAazEoSTmJSOa66cXm6S07v.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 161543041-0
                                                                                                                                                                                                                                • Opcode ID: b9175880c53cb61b75c7f783674dde5ef8178fe79d68c96236a7112e5c5498ca
                                                                                                                                                                                                                                • Instruction ID: 1a5008ae924ed9d8b10f6ab703331486876530f25f497bee5f6b955a93b44fd9
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: b9175880c53cb61b75c7f783674dde5ef8178fe79d68c96236a7112e5c5498ca
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 393181326807019FEF709A78D888B5673EAEF00318F24E829E56AD7594EF71E944CB15
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 0041E9B2 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.3312675882.0000000000400000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_XEAazEoSTmJSOa66cXm6S07v.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: _free
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 269201875-0
                                                                                                                                                                                                                                • Opcode ID: ede1a756fe7c81b57652e01e6694f4d5898de535ff9c24b5680a7aebf79362e9
                                                                                                                                                                                                                                • Instruction ID: 728dd4b73fa8875da2944d3c1161fea0547f625c3b5c38e136dc442d3870b7dc
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ede1a756fe7c81b57652e01e6694f4d5898de535ff9c24b5680a7aebf79362e9
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 63C16376D40204BBDB20DFA9CC43FDA77F8AB48744F15416AFE05EB282E6749D818794
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 0041A242 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                  • Part of subcall function 00419F10: CreateFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 00419F2D
                                                                                                                                                                                                                                • GetLastError.KERNEL32 ref: 0041A356
                                                                                                                                                                                                                                • __dosmaperr.LIBCMT ref: 0041A35D
                                                                                                                                                                                                                                • GetFileType.KERNEL32(00000000), ref: 0041A369
                                                                                                                                                                                                                                • GetLastError.KERNEL32 ref: 0041A373
                                                                                                                                                                                                                                • __dosmaperr.LIBCMT ref: 0041A37C
                                                                                                                                                                                                                                • CloseHandle.KERNEL32(00000000), ref: 0041A39C
                                                                                                                                                                                                                                • CloseHandle.KERNEL32(?), ref: 0041A4E6
                                                                                                                                                                                                                                • GetLastError.KERNEL32 ref: 0041A518
                                                                                                                                                                                                                                • __dosmaperr.LIBCMT ref: 0041A51F
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.3312675882.0000000000400000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_XEAazEoSTmJSOa66cXm6S07v.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                                                                                                                                                                                                • String ID: H
                                                                                                                                                                                                                                • API String ID: 4237864984-2852464175
                                                                                                                                                                                                                                • Opcode ID: 3d610beb6fdae7f59e9ad9f33e2ca6ec6ebc0d6293e5c15d19bd92f4cf96793f
                                                                                                                                                                                                                                • Instruction ID: 5ed0b96f73270941775a85281cb99d597b6a4d56659bde6f01148d564b9c2f2b
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3d610beb6fdae7f59e9ad9f33e2ca6ec6ebc0d6293e5c15d19bd92f4cf96793f
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: DDA15732A041089FDF189F78D8517EE3BA1AF06324F18015EEC51EB391D7398D66C75A
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 00423226 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 154COMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,0042422F), ref: 00423249
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.3312675882.0000000000400000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_XEAazEoSTmJSOa66cXm6S07v.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: DecodePointer
                                                                                                                                                                                                                                • String ID: /BB$acos$asin$exp$log$log10$pow$sqrt
                                                                                                                                                                                                                                • API String ID: 3527080286-1021189420
                                                                                                                                                                                                                                • Opcode ID: 88552b8886f88d94b8d1bbcc7aafbfab123f3002aa15034899b0489058aea16a
                                                                                                                                                                                                                                • Instruction ID: 5f418b0c94ccf72204288f9fbe243b868e613e1cea8606976bda72b47a9d9e27
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 88552b8886f88d94b8d1bbcc7aafbfab123f3002aa15034899b0489058aea16a
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 06518E70B00529CBDB10DFA9F9481AD7BB0FB49305FE44197E881A6254CB7D8B65CB2D
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 00416C25 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • _free.LIBCMT ref: 00416C39
                                                                                                                                                                                                                                  • Part of subcall function 0041629A: HeapFree.KERNEL32(00000000,00000000,?,0041F021,?,00000000,?,00000000,?,0041F2C5,?,00000007,?,?,0041F6B9,?), ref: 004162B0
                                                                                                                                                                                                                                  • Part of subcall function 0041629A: GetLastError.KERNEL32(?,?,0041F021,?,00000000,?,00000000,?,0041F2C5,?,00000007,?,?,0041F6B9,?,?), ref: 004162C2
                                                                                                                                                                                                                                • _free.LIBCMT ref: 00416C45
                                                                                                                                                                                                                                • _free.LIBCMT ref: 00416C50
                                                                                                                                                                                                                                • _free.LIBCMT ref: 00416C5B
                                                                                                                                                                                                                                • _free.LIBCMT ref: 00416C66
                                                                                                                                                                                                                                • _free.LIBCMT ref: 00416C71
                                                                                                                                                                                                                                • _free.LIBCMT ref: 00416C7C
                                                                                                                                                                                                                                • _free.LIBCMT ref: 00416C87
                                                                                                                                                                                                                                • _free.LIBCMT ref: 00416C92
                                                                                                                                                                                                                                • _free.LIBCMT ref: 00416CA0
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.3312675882.0000000000400000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_XEAazEoSTmJSOa66cXm6S07v.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 776569668-0
                                                                                                                                                                                                                                • Opcode ID: b4e3df1a2592718950074ff961ccd1fa3b04f250d0db4e1414e8dc6a3248423b
                                                                                                                                                                                                                                • Instruction ID: 425b14d8582b8484cae793816d5f4fa8e3af98928aded5048720e3a5ca7bcabf
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: b4e3df1a2592718950074ff961ccd1fa3b04f250d0db4e1414e8dc6a3248423b
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B311E976100218BFDF01FF95D952DD93B65EF48358B4280AAFD088F222DA35EE919B84
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 02EE6E8C Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • _free.LIBCMT ref: 02EE6EA0
                                                                                                                                                                                                                                  • Part of subcall function 02EE6501: HeapFree.KERNEL32(00000000,00000000,?,02EEF288,?,00000000,?,00000000,?,02EEF52C,?,00000007,?,?,02EEF920,?), ref: 02EE6517
                                                                                                                                                                                                                                  • Part of subcall function 02EE6501: GetLastError.KERNEL32(?,?,02EEF288,?,00000000,?,00000000,?,02EEF52C,?,00000007,?,?,02EEF920,?,?), ref: 02EE6529
                                                                                                                                                                                                                                • _free.LIBCMT ref: 02EE6EAC
                                                                                                                                                                                                                                • _free.LIBCMT ref: 02EE6EB7
                                                                                                                                                                                                                                • _free.LIBCMT ref: 02EE6EC2
                                                                                                                                                                                                                                • _free.LIBCMT ref: 02EE6ECD
                                                                                                                                                                                                                                • _free.LIBCMT ref: 02EE6ED8
                                                                                                                                                                                                                                • _free.LIBCMT ref: 02EE6EE3
                                                                                                                                                                                                                                • _free.LIBCMT ref: 02EE6EEE
                                                                                                                                                                                                                                • _free.LIBCMT ref: 02EE6EF9
                                                                                                                                                                                                                                • _free.LIBCMT ref: 02EE6F07
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.3368165895.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_2ed0000_XEAazEoSTmJSOa66cXm6S07v.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 776569668-0
                                                                                                                                                                                                                                • Opcode ID: b4e3df1a2592718950074ff961ccd1fa3b04f250d0db4e1414e8dc6a3248423b
                                                                                                                                                                                                                                • Instruction ID: 2294f780aff58b7bf9923c32b15b0629f9fc35a074b4b279633474d6b7c924c0
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: b4e3df1a2592718950074ff961ccd1fa3b04f250d0db4e1414e8dc6a3248423b
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: AF11E376240008BFCF51EF95C844CDD3BAAEF14354B4198A1FA0A8F238DA32EA549F81
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 004011B0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 105COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • __EH_prolog.LIBCMT ref: 004011B5
                                                                                                                                                                                                                                • std::_Lockit::_Lockit.LIBCPMT ref: 004011C7
                                                                                                                                                                                                                                • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00401204
                                                                                                                                                                                                                                  • Part of subcall function 00407E7A: _Yarn.LIBCPMT ref: 00407E99
                                                                                                                                                                                                                                  • Part of subcall function 00407E7A: _Yarn.LIBCPMT ref: 00407EBD
                                                                                                                                                                                                                                • std::bad_exception::bad_exception.LIBCMT ref: 00401225
                                                                                                                                                                                                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 00401233
                                                                                                                                                                                                                                • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00401256
                                                                                                                                                                                                                                • std::_Lockit::~_Lockit.LIBCPMT ref: 004012C7
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.3312675882.0000000000400000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_XEAazEoSTmJSOa66cXm6S07v.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: std::_$Locinfo::_LockitYarn$Exception@8H_prologLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_Throwstd::bad_exception::bad_exception
                                                                                                                                                                                                                                • String ID: bad locale name
                                                                                                                                                                                                                                • API String ID: 835844855-1405518554
                                                                                                                                                                                                                                • Opcode ID: a090f8b72b9f032088bcf3b84daf861ba69faf3822e33b89ac944a869e89cca2
                                                                                                                                                                                                                                • Instruction ID: 9bdc7579a9a3bc6ca601cd004726ed2944731520d9260611c740ec4211b797ca
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a090f8b72b9f032088bcf3b84daf861ba69faf3822e33b89ac944a869e89cca2
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5D319F31904B40DEC731AF6AD941A5BFBF4BF08714B508A7FE04AA3AA1C738B504CB59
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 02ED43F0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 59COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • __EH_prolog.LIBCMT ref: 02ED43F5
                                                                                                                                                                                                                                • std::_Lockit::_Lockit.LIBCPMT ref: 02ED4404
                                                                                                                                                                                                                                • int.LIBCPMT ref: 02ED441B
                                                                                                                                                                                                                                  • Part of subcall function 02ED157F: std::_Lockit::_Lockit.LIBCPMT ref: 02ED1590
                                                                                                                                                                                                                                  • Part of subcall function 02ED157F: std::_Lockit::~_Lockit.LIBCPMT ref: 02ED15AA
                                                                                                                                                                                                                                • std::locale::_Getfacet.LIBCPMT ref: 02ED4424
                                                                                                                                                                                                                                • std::_Facet_Register.LIBCPMT ref: 02ED4455
                                                                                                                                                                                                                                • std::_Lockit::~_Lockit.LIBCPMT ref: 02ED446B
                                                                                                                                                                                                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 02ED4491
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.3368165895.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_2ed0000_XEAazEoSTmJSOa66cXm6S07v.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologRegisterThrowstd::locale::_
                                                                                                                                                                                                                                • String ID: _vB
                                                                                                                                                                                                                                • API String ID: 1202896665-2031504979
                                                                                                                                                                                                                                • Opcode ID: fc346c96f50ffa0ae8417ee06a27fb1f11bc101e5f50617f2bcd0e538bf8945f
                                                                                                                                                                                                                                • Instruction ID: 0b10bdb3c937a9437f4f5638ebd8d0f6f6cd901b0e244c3f9cce1c2c95172d64
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: fc346c96f50ffa0ae8417ee06a27fb1f11bc101e5f50617f2bcd0e538bf8945f
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 301127729802288BCF11EBA4D804AEDB776EF94324F14D419F815A72D0DB349A02CBA0
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 02ED385C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 57COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • __EH_prolog.LIBCMT ref: 02ED3861
                                                                                                                                                                                                                                • std::_Lockit::_Lockit.LIBCPMT ref: 02ED3870
                                                                                                                                                                                                                                • int.LIBCPMT ref: 02ED3887
                                                                                                                                                                                                                                  • Part of subcall function 02ED157F: std::_Lockit::_Lockit.LIBCPMT ref: 02ED1590
                                                                                                                                                                                                                                  • Part of subcall function 02ED157F: std::_Lockit::~_Lockit.LIBCPMT ref: 02ED15AA
                                                                                                                                                                                                                                • std::locale::_Getfacet.LIBCPMT ref: 02ED3890
                                                                                                                                                                                                                                • std::_Facet_Register.LIBCPMT ref: 02ED38C1
                                                                                                                                                                                                                                • std::_Lockit::~_Lockit.LIBCPMT ref: 02ED38D7
                                                                                                                                                                                                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 02ED38FD
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.3368165895.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_2ed0000_XEAazEoSTmJSOa66cXm6S07v.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologRegisterThrowstd::locale::_
                                                                                                                                                                                                                                • String ID: _vB
                                                                                                                                                                                                                                • API String ID: 1202896665-2031504979
                                                                                                                                                                                                                                • Opcode ID: 3d358693115aeff1749e0ee4b38daaf9f72a0ca6830b75372d93bcd920b392a7
                                                                                                                                                                                                                                • Instruction ID: 8a5f1cc777b0594a4bae4e344677adc6b1efc06ef66993013ce6405c097b7841
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3d358693115aeff1749e0ee4b38daaf9f72a0ca6830b75372d93bcd920b392a7
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B6110A76D801249BCB11FB94D804AEDB776EF44715F14946AF415B72D0DB748902CF92
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 02ED3651 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 57COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • __EH_prolog.LIBCMT ref: 02ED3656
                                                                                                                                                                                                                                • std::_Lockit::_Lockit.LIBCPMT ref: 02ED3665
                                                                                                                                                                                                                                • int.LIBCPMT ref: 02ED367C
                                                                                                                                                                                                                                  • Part of subcall function 02ED157F: std::_Lockit::_Lockit.LIBCPMT ref: 02ED1590
                                                                                                                                                                                                                                  • Part of subcall function 02ED157F: std::_Lockit::~_Lockit.LIBCPMT ref: 02ED15AA
                                                                                                                                                                                                                                • std::locale::_Getfacet.LIBCPMT ref: 02ED3685
                                                                                                                                                                                                                                • std::_Facet_Register.LIBCPMT ref: 02ED36B6
                                                                                                                                                                                                                                • std::_Lockit::~_Lockit.LIBCPMT ref: 02ED36CC
                                                                                                                                                                                                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 02ED36F2
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.3368165895.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_2ed0000_XEAazEoSTmJSOa66cXm6S07v.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologRegisterThrowstd::locale::_
                                                                                                                                                                                                                                • String ID: _vB
                                                                                                                                                                                                                                • API String ID: 1202896665-2031504979
                                                                                                                                                                                                                                • Opcode ID: 24ac42d491a15661983952bfe5964fcfc5bf883f37f088e85fec32acd73a0a07
                                                                                                                                                                                                                                • Instruction ID: 11fa10a2d88eca3210743461d76af661ff520aef27b842efa1bf33c3b148c064
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 24ac42d491a15661983952bfe5964fcfc5bf883f37f088e85fec32acd73a0a07
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D4110A769801249BCB15EBA4C804AEEB776EF84364F149459F425773D0CB748902CF92
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 004192AD Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.3312675882.0000000000400000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_XEAazEoSTmJSOa66cXm6S07v.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: c26c3a26d84435dadb32eec829eed0824bf3e56cab88ec35bc99dc9cc53e9ab8
                                                                                                                                                                                                                                • Instruction ID: ad7a334a3c542fe0f14731be173b353b81adde24e2ae5a0363ed5934dc533936
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: c26c3a26d84435dadb32eec829eed0824bf3e56cab88ec35bc99dc9cc53e9ab8
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 72C11A71D04249AFDB11CFA9C850BEE7BB1BF09314F08419AE854B7392C7789D81CB69
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 02EE9514 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.3368165895.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_2ed0000_XEAazEoSTmJSOa66cXm6S07v.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 1c333506b60f9a2cbe16c25422fb5c8dc001c6824b257e592f442b80053a19a3
                                                                                                                                                                                                                                • Instruction ID: 0ad29d19ae87f8a079fc49a7b465df46a5c90ab3fcfcfe7294c94f0485559d99
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 1c333506b60f9a2cbe16c25422fb5c8dc001c6824b257e592f442b80053a19a3
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 73C106B0E842499FDF11CFA8D851BEDBBF5AF09314F08A494E952A73A2C7308945CF65
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 00414A4A Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                  • Part of subcall function 00416D19: GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
                                                                                                                                                                                                                                  • Part of subcall function 00416D19: _free.LIBCMT ref: 00416D50
                                                                                                                                                                                                                                  • Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D91
                                                                                                                                                                                                                                  • Part of subcall function 00416D19: _abort.LIBCMT ref: 00416D97
                                                                                                                                                                                                                                • _memcmp.LIBVCRUNTIME ref: 00414CF4
                                                                                                                                                                                                                                • _free.LIBCMT ref: 00414D65
                                                                                                                                                                                                                                • _free.LIBCMT ref: 00414D7E
                                                                                                                                                                                                                                • _free.LIBCMT ref: 00414DB0
                                                                                                                                                                                                                                • _free.LIBCMT ref: 00414DB9
                                                                                                                                                                                                                                • _free.LIBCMT ref: 00414DC5
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.3312675882.0000000000400000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_XEAazEoSTmJSOa66cXm6S07v.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: _free$ErrorLast$_abort_memcmp
                                                                                                                                                                                                                                • String ID: C
                                                                                                                                                                                                                                • API String ID: 1679612858-1037565863
                                                                                                                                                                                                                                • Opcode ID: 8f87c09ea476144f3408270848766069dd2a72959f888511d1f2eb11bfac3621
                                                                                                                                                                                                                                • Instruction ID: af268d229fb851bfdfa469d3d7016fc6fe3b7b40d7c0f50ff16bf374563e7c73
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8f87c09ea476144f3408270848766069dd2a72959f888511d1f2eb11bfac3621
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7CB12975A016199BDB24DF18D884BEEB7B4FF88304F6045AAE809A7350E735AED1CF44
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 02EE4CB1 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                  • Part of subcall function 02EE6F80: GetLastError.KERNEL32(?,?,02EDE697,?,?,?,02EDED94,?), ref: 02EE6F84
                                                                                                                                                                                                                                  • Part of subcall function 02EE6F80: _free.LIBCMT ref: 02EE6FB7
                                                                                                                                                                                                                                  • Part of subcall function 02EE6F80: SetLastError.KERNEL32(00000000), ref: 02EE6FF8
                                                                                                                                                                                                                                  • Part of subcall function 02EE6F80: _abort.LIBCMT ref: 02EE6FFE
                                                                                                                                                                                                                                • _memcmp.LIBVCRUNTIME ref: 02EE4F5B
                                                                                                                                                                                                                                • _free.LIBCMT ref: 02EE4FCC
                                                                                                                                                                                                                                • _free.LIBCMT ref: 02EE4FE5
                                                                                                                                                                                                                                • _free.LIBCMT ref: 02EE5017
                                                                                                                                                                                                                                • _free.LIBCMT ref: 02EE5020
                                                                                                                                                                                                                                • _free.LIBCMT ref: 02EE502C
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.3368165895.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_2ed0000_XEAazEoSTmJSOa66cXm6S07v.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: _free$ErrorLast$_abort_memcmp
                                                                                                                                                                                                                                • String ID: C
                                                                                                                                                                                                                                • API String ID: 1679612858-1037565863
                                                                                                                                                                                                                                • Opcode ID: 2dcdab9ff37da07fbf13cf7196123cc144f196f64e2833b55e76e053da9afdf4
                                                                                                                                                                                                                                • Instruction ID: f657194ac14b1eb43c1bd800a531b195a0778d17fb4e1eef89f31f698c1f3bd1
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 2dcdab9ff37da07fbf13cf7196123cc144f196f64e2833b55e76e053da9afdf4
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 20B14B75A412199FDF24DF18C884BADB3B5FF48308F5095AAE90AA7394D731AE90CF40
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 0041673F Relevance: 12.2, APIs: 8, Instructions: 216COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,0040F850,0040F850,?,?,?,00416990,00000001,00000001,F5E85006), ref: 00416799
                                                                                                                                                                                                                                • __alloca_probe_16.LIBCMT ref: 004167D1
                                                                                                                                                                                                                                • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00416990,00000001,00000001,F5E85006,?,?,?), ref: 0041681F
                                                                                                                                                                                                                                • __alloca_probe_16.LIBCMT ref: 004168B6
                                                                                                                                                                                                                                • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,F5E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00416919
                                                                                                                                                                                                                                • __freea.LIBCMT ref: 00416926
                                                                                                                                                                                                                                  • Part of subcall function 00417A45: HeapAlloc.KERNEL32(00000000,?,00000000,?,0041B3A4,00000000,?,00410DD1,?,00000008,?,0041197C,?,?,?), ref: 00417A77
                                                                                                                                                                                                                                • __freea.LIBCMT ref: 0041692F
                                                                                                                                                                                                                                • __freea.LIBCMT ref: 00416954
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.3312675882.0000000000400000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_XEAazEoSTmJSOa66cXm6S07v.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocHeap
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 2597970681-0
                                                                                                                                                                                                                                • Opcode ID: f9eec1d03ef488200257542b3a30a4a1c023565d73c6751b204851a68cbc467a
                                                                                                                                                                                                                                • Instruction ID: 3d3e7015d1c5c7bc026f1fbb08fe6865a4c6ffd2cfadb9c0ba95752873af972a
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f9eec1d03ef488200257542b3a30a4a1c023565d73c6751b204851a68cbc467a
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4751F5B2610216ABDB259F65CC41EFF7BA9EF40754F16462EFD04D6280DB38DC80C668
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 0041EDD7 Relevance: 10.7, APIs: 7, Instructions: 204COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.3312675882.0000000000400000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_XEAazEoSTmJSOa66cXm6S07v.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: _free
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 269201875-0
                                                                                                                                                                                                                                • Opcode ID: e68a25c084fc20a1e1d7f08a61fe8f3dbfc97445b378353a219a7845841ba709
                                                                                                                                                                                                                                • Instruction ID: 73c135ea74765e4518f9d8ef1c60bb5e0d099e6adef79961ba2dbed29d3485ac
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e68a25c084fc20a1e1d7f08a61fe8f3dbfc97445b378353a219a7845841ba709
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8C61A076904305AFDB20DF66C842BDABBF4EF48710F1441ABEC45EB281D7749D828B98
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 02EEF03E Relevance: 10.7, APIs: 7, Instructions: 204COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.3368165895.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_2ed0000_XEAazEoSTmJSOa66cXm6S07v.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: _free
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 269201875-0
                                                                                                                                                                                                                                • Opcode ID: f8833a0de0791504dabcccc7c771c2f5db8e414cd847f9ac854e63f406939190
                                                                                                                                                                                                                                • Instruction ID: e9583a5ec6ec707344b9a7803d9e8a5fa4421af4aff76ad962fb17578650e2fb
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f8833a0de0791504dabcccc7c771c2f5db8e414cd847f9ac854e63f406939190
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F161E572D80209AFDF20DFA4C841B9ABBF5EF48314F14956AE946EB245EB709D41CB90
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 00415A13 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • GetConsoleCP.KERNEL32(?,?,?,?,?,?,?,?,?,00416188,?,?,?,?,?,?), ref: 00415A55
                                                                                                                                                                                                                                • __fassign.LIBCMT ref: 00415AD0
                                                                                                                                                                                                                                • __fassign.LIBCMT ref: 00415AEB
                                                                                                                                                                                                                                • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,?,00000005,00000000,00000000), ref: 00415B11
                                                                                                                                                                                                                                • WriteFile.KERNEL32(?,?,00000000,00416188,00000000,?,?,?,?,?,?,?,?,?,00416188,?), ref: 00415B30
                                                                                                                                                                                                                                • WriteFile.KERNEL32(?,?,00000001,00416188,00000000,?,?,?,?,?,?,?,?,?,00416188,?), ref: 00415B69
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.3312675882.0000000000400000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_XEAazEoSTmJSOa66cXm6S07v.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1324828854-0
                                                                                                                                                                                                                                • Opcode ID: ae6401f21b7801d045f97308b9b06165aa02294ae80e5cf11490d6b3e53dbacb
                                                                                                                                                                                                                                • Instruction ID: 407e3908cef374265deb6243eed94e9e176cff0c31ef9f6c7349134872b618e9
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ae6401f21b7801d045f97308b9b06165aa02294ae80e5cf11490d6b3e53dbacb
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 725105B0A04608DFDB10CFA8D881AEEBBF8EF49310F14416BE955F3251D774A981CB69
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 02EE5C7A Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • GetConsoleCP.KERNEL32(?,?,?,?,?,?,?,?,?,02EE63EF,?,?,?,?,?,?), ref: 02EE5CBC
                                                                                                                                                                                                                                • __fassign.LIBCMT ref: 02EE5D37
                                                                                                                                                                                                                                • __fassign.LIBCMT ref: 02EE5D52
                                                                                                                                                                                                                                • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,?,00000005,00000000,00000000), ref: 02EE5D78
                                                                                                                                                                                                                                • WriteFile.KERNEL32(?,?,00000000,02EE63EF,00000000,?,?,?,?,?,?,?,?,?,02EE63EF,?), ref: 02EE5D97
                                                                                                                                                                                                                                • WriteFile.KERNEL32(?,?,00000001,02EE63EF,00000000,?,?,?,?,?,?,?,?,?,02EE63EF,?), ref: 02EE5DD0
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.3368165895.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_2ed0000_XEAazEoSTmJSOa66cXm6S07v.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1324828854-0
                                                                                                                                                                                                                                • Opcode ID: bcc7f49e5f9acd1ab4da29e29a7effa70e0c752b6185b76a6d92c3c1d252d699
                                                                                                                                                                                                                                • Instruction ID: 9adc4f03b324f0597f062fa3b07de8ed385f3906b756a6a1f10cc421d12b243d
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: bcc7f49e5f9acd1ab4da29e29a7effa70e0c752b6185b76a6d92c3c1d252d699
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4751E470A402459FDF10CFA8DC84AEEBBF8EF09318F14906AE946F7290D7309951CBA1
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 0040C7B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • _ValidateLocalCookies.LIBCMT ref: 0040C7DB
                                                                                                                                                                                                                                • ___except_validate_context_record.LIBVCRUNTIME ref: 0040C7E3
                                                                                                                                                                                                                                • _ValidateLocalCookies.LIBCMT ref: 0040C871
                                                                                                                                                                                                                                • __IsNonwritableInCurrentImage.LIBCMT ref: 0040C89C
                                                                                                                                                                                                                                • _ValidateLocalCookies.LIBCMT ref: 0040C8F1
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.3312675882.0000000000400000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_XEAazEoSTmJSOa66cXm6S07v.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                                                                                                                                                • String ID: csm
                                                                                                                                                                                                                                • API String ID: 1170836740-1018135373
                                                                                                                                                                                                                                • Opcode ID: 796a0128d9dbb3bf8459a97561fbccceb7ea0ac6e0ba9330f3f48fee75113795
                                                                                                                                                                                                                                • Instruction ID: 3eebbe8c3ad0fa61f276611c5937d4e28261350d7e8d9123906714334ee199f9
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 796a0128d9dbb3bf8459a97561fbccceb7ea0ac6e0ba9330f3f48fee75113795
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 59418235E00208DBCB10EF69C880A9EBBB5AF45325F14C27BE8156B3D1D7399945CB99
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 02ED1417 Relevance: 10.6, APIs: 7, Instructions: 105COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • __EH_prolog.LIBCMT ref: 02ED141C
                                                                                                                                                                                                                                • std::_Lockit::_Lockit.LIBCPMT ref: 02ED142E
                                                                                                                                                                                                                                • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 02ED146B
                                                                                                                                                                                                                                  • Part of subcall function 02ED80E1: _Yarn.LIBCPMT ref: 02ED8100
                                                                                                                                                                                                                                  • Part of subcall function 02ED80E1: _Yarn.LIBCPMT ref: 02ED8124
                                                                                                                                                                                                                                • std::bad_exception::bad_exception.LIBCMT ref: 02ED148C
                                                                                                                                                                                                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 02ED149A
                                                                                                                                                                                                                                • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 02ED14BD
                                                                                                                                                                                                                                • std::_Lockit::~_Lockit.LIBCPMT ref: 02ED152E
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.3368165895.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_2ed0000_XEAazEoSTmJSOa66cXm6S07v.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: std::_$Locinfo::_LockitYarn$Exception@8H_prologLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_Throwstd::bad_exception::bad_exception
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 835844855-0
                                                                                                                                                                                                                                • Opcode ID: d4016aa6201875b868c5713db93660535a29781f4af20a4f0b734588d552bf06
                                                                                                                                                                                                                                • Instruction ID: 8582e8e7f4c7f674fea09a85a9b2942b7431ace7270130e2911735b066c0af5e
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d4016aa6201875b868c5713db93660535a29781f4af20a4f0b734588d552bf06
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 00317A72844B009FC731AF69E84065AFBF5FF48714B10DA2FE08B96A40CB74A606CF59
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 00425FFF Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 85registryCOMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • __EH_prolog.LIBCMT ref: 00426004
                                                                                                                                                                                                                                • RegCreateKeyExA.ADVAPI32(80000001,SOFTWARE\BroomCleaner,00000000,00000000,00000000,000F003F,00000000,?,00000000,Installed,0043AE60,SOFTWARE\BroomCleaner), ref: 0042602C
                                                                                                                                                                                                                                • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,?,?,0043AE60,0043AE61,Installed,Installed), ref: 004260AF
                                                                                                                                                                                                                                • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,185.172.128.90,/cpa/ping.php?substr=%s&s=ab&sub=%s,?), ref: 004260D0
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.3312675882.0000000000400000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_XEAazEoSTmJSOa66cXm6S07v.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: CloseCreateH_prologValue
                                                                                                                                                                                                                                • String ID: Installed$SOFTWARE\BroomCleaner
                                                                                                                                                                                                                                • API String ID: 1996196666-529226407
                                                                                                                                                                                                                                • Opcode ID: 0c1498eeef2a83cafb83bf210d5a9b90b4b671d1f7746b808874f939b35d2cd9
                                                                                                                                                                                                                                • Instruction ID: 88d0ffafad339e53c26632b4546833d70425ff8bf3c95ccbaa1921ace6490f97
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 0c1498eeef2a83cafb83bf210d5a9b90b4b671d1f7746b808874f939b35d2cd9
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E431A771A00228AFDB148FA8DC94AFEBB78FB08358F44012EE802B3281C7B51D05CB64
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 004227A8 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.3312675882.0000000000400000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_XEAazEoSTmJSOa66cXm6S07v.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: da3a417481234f6a5cce791f459c1180441bcfe0ab5ce7d00eccf100f1f65345
                                                                                                                                                                                                                                • Instruction ID: 9c8ef9f1e7886cc92e32ce44b389b8283dd6e8511c6332daddb66b94c38c2fe8
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: da3a417481234f6a5cce791f459c1180441bcfe0ab5ce7d00eccf100f1f65345
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8E11E7726081257BDB203FB39D059AF3B6CEF92764751062EFC15D6251DEBCC88282B9
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 0041F2AC Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                  • Part of subcall function 0041EFF3: _free.LIBCMT ref: 0041F01C
                                                                                                                                                                                                                                • _free.LIBCMT ref: 0041F2FA
                                                                                                                                                                                                                                  • Part of subcall function 0041629A: HeapFree.KERNEL32(00000000,00000000,?,0041F021,?,00000000,?,00000000,?,0041F2C5,?,00000007,?,?,0041F6B9,?), ref: 004162B0
                                                                                                                                                                                                                                  • Part of subcall function 0041629A: GetLastError.KERNEL32(?,?,0041F021,?,00000000,?,00000000,?,0041F2C5,?,00000007,?,?,0041F6B9,?,?), ref: 004162C2
                                                                                                                                                                                                                                • _free.LIBCMT ref: 0041F305
                                                                                                                                                                                                                                • _free.LIBCMT ref: 0041F310
                                                                                                                                                                                                                                • _free.LIBCMT ref: 0041F364
                                                                                                                                                                                                                                • _free.LIBCMT ref: 0041F36F
                                                                                                                                                                                                                                • _free.LIBCMT ref: 0041F37A
                                                                                                                                                                                                                                • _free.LIBCMT ref: 0041F385
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.3312675882.0000000000400000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_XEAazEoSTmJSOa66cXm6S07v.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 776569668-0
                                                                                                                                                                                                                                • Opcode ID: 501a0837026fe0814ab2d6a77f43a53b196c1575d4fb2c1b0167c2d280276289
                                                                                                                                                                                                                                • Instruction ID: be7813cec9e76b844f682d4c097dbd82c10abeb52ecb146189267b1763b940f2
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 501a0837026fe0814ab2d6a77f43a53b196c1575d4fb2c1b0167c2d280276289
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1F114272541B24B6D920BB72DC07FCBB7DCBF44708F40081EBE9E66052DA7DB5868654
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 02EEF513 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                  • Part of subcall function 02EEF25A: _free.LIBCMT ref: 02EEF283
                                                                                                                                                                                                                                • _free.LIBCMT ref: 02EEF561
                                                                                                                                                                                                                                  • Part of subcall function 02EE6501: HeapFree.KERNEL32(00000000,00000000,?,02EEF288,?,00000000,?,00000000,?,02EEF52C,?,00000007,?,?,02EEF920,?), ref: 02EE6517
                                                                                                                                                                                                                                  • Part of subcall function 02EE6501: GetLastError.KERNEL32(?,?,02EEF288,?,00000000,?,00000000,?,02EEF52C,?,00000007,?,?,02EEF920,?,?), ref: 02EE6529
                                                                                                                                                                                                                                • _free.LIBCMT ref: 02EEF56C
                                                                                                                                                                                                                                • _free.LIBCMT ref: 02EEF577
                                                                                                                                                                                                                                • _free.LIBCMT ref: 02EEF5CB
                                                                                                                                                                                                                                • _free.LIBCMT ref: 02EEF5D6
                                                                                                                                                                                                                                • _free.LIBCMT ref: 02EEF5E1
                                                                                                                                                                                                                                • _free.LIBCMT ref: 02EEF5EC
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.3368165895.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_2ed0000_XEAazEoSTmJSOa66cXm6S07v.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 776569668-0
                                                                                                                                                                                                                                • Opcode ID: 501a0837026fe0814ab2d6a77f43a53b196c1575d4fb2c1b0167c2d280276289
                                                                                                                                                                                                                                • Instruction ID: dc884901472d71ae28b1c16321955e28cd3820808e27551ce4b78f2fe6e31e76
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 501a0837026fe0814ab2d6a77f43a53b196c1575d4fb2c1b0167c2d280276289
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 23115472580B04AADE30B7B0CC4AFCB7B9E6F48701F409C15B79F66454EB65F5044E92
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 00404189 Relevance: 10.6, APIs: 7, Instructions: 59COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • __EH_prolog.LIBCMT ref: 0040418E
                                                                                                                                                                                                                                • std::_Lockit::_Lockit.LIBCPMT ref: 0040419D
                                                                                                                                                                                                                                • int.LIBCPMT ref: 004041B4
                                                                                                                                                                                                                                  • Part of subcall function 00401318: std::_Lockit::_Lockit.LIBCPMT ref: 00401329
                                                                                                                                                                                                                                  • Part of subcall function 00401318: std::_Lockit::~_Lockit.LIBCPMT ref: 00401343
                                                                                                                                                                                                                                • std::locale::_Getfacet.LIBCPMT ref: 004041BD
                                                                                                                                                                                                                                • std::_Facet_Register.LIBCPMT ref: 004041EE
                                                                                                                                                                                                                                • std::_Lockit::~_Lockit.LIBCPMT ref: 00404204
                                                                                                                                                                                                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 0040422A
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.3312675882.0000000000400000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_XEAazEoSTmJSOa66cXm6S07v.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologRegisterThrowstd::locale::_
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1202896665-0
                                                                                                                                                                                                                                • Opcode ID: fc346c96f50ffa0ae8417ee06a27fb1f11bc101e5f50617f2bcd0e538bf8945f
                                                                                                                                                                                                                                • Instruction ID: 83cc51774d47ba4475a281f6d7b020c526a0fd19fbdba44bd5d3cb2c7b641a00
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: fc346c96f50ffa0ae8417ee06a27fb1f11bc101e5f50617f2bcd0e538bf8945f
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: EC110871A001289BCB04EBA4DC06AEE7774EF84358F10057FF915772D1DB389900C7A9
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 004033EA Relevance: 10.6, APIs: 7, Instructions: 57COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • __EH_prolog.LIBCMT ref: 004033EF
                                                                                                                                                                                                                                • std::_Lockit::_Lockit.LIBCPMT ref: 004033FE
                                                                                                                                                                                                                                • int.LIBCPMT ref: 00403415
                                                                                                                                                                                                                                  • Part of subcall function 00401318: std::_Lockit::_Lockit.LIBCPMT ref: 00401329
                                                                                                                                                                                                                                  • Part of subcall function 00401318: std::_Lockit::~_Lockit.LIBCPMT ref: 00401343
                                                                                                                                                                                                                                • std::locale::_Getfacet.LIBCPMT ref: 0040341E
                                                                                                                                                                                                                                • std::_Facet_Register.LIBCPMT ref: 0040344F
                                                                                                                                                                                                                                • std::_Lockit::~_Lockit.LIBCPMT ref: 00403465
                                                                                                                                                                                                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 0040348B
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.3312675882.0000000000400000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_XEAazEoSTmJSOa66cXm6S07v.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologRegisterThrowstd::locale::_
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1202896665-0
                                                                                                                                                                                                                                • Opcode ID: 24ac42d491a15661983952bfe5964fcfc5bf883f37f088e85fec32acd73a0a07
                                                                                                                                                                                                                                • Instruction ID: 705b121528f6e187a552e9d34ae6b3df2024d0ee7a8324a724e42d77b9682124
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 24ac42d491a15661983952bfe5964fcfc5bf883f37f088e85fec32acd73a0a07
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B311C4329001289BCB05EFA8C805AEE7B78EF84359F10452FF811772D1DB789A00CB9A
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 004035F5 Relevance: 10.6, APIs: 7, Instructions: 57COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • __EH_prolog.LIBCMT ref: 004035FA
                                                                                                                                                                                                                                • std::_Lockit::_Lockit.LIBCPMT ref: 00403609
                                                                                                                                                                                                                                • int.LIBCPMT ref: 00403620
                                                                                                                                                                                                                                  • Part of subcall function 00401318: std::_Lockit::_Lockit.LIBCPMT ref: 00401329
                                                                                                                                                                                                                                  • Part of subcall function 00401318: std::_Lockit::~_Lockit.LIBCPMT ref: 00401343
                                                                                                                                                                                                                                • std::locale::_Getfacet.LIBCPMT ref: 00403629
                                                                                                                                                                                                                                • std::_Facet_Register.LIBCPMT ref: 0040365A
                                                                                                                                                                                                                                • std::_Lockit::~_Lockit.LIBCPMT ref: 00403670
                                                                                                                                                                                                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 00403696
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.3312675882.0000000000400000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_XEAazEoSTmJSOa66cXm6S07v.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologRegisterThrowstd::locale::_
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1202896665-0
                                                                                                                                                                                                                                • Opcode ID: 3d358693115aeff1749e0ee4b38daaf9f72a0ca6830b75372d93bcd920b392a7
                                                                                                                                                                                                                                • Instruction ID: 4997e6bde17a0f635c2d016693c2f4113915c820df16c93ef0ac66c49e5cddc6
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3d358693115aeff1749e0ee4b38daaf9f72a0ca6830b75372d93bcd920b392a7
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: DE11B232A001249BCB14EFA9C805AEE7B78AF44759F10452FF811773D1DB389A04CB99
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 02EE69A6 Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,?,?,?,?,02EE6BF7,00000001,00000001,?), ref: 02EE6A00
                                                                                                                                                                                                                                • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,02EE6BF7,00000001,00000001,?,?,?,?), ref: 02EE6A86
                                                                                                                                                                                                                                • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 02EE6B80
                                                                                                                                                                                                                                • __freea.LIBCMT ref: 02EE6B8D
                                                                                                                                                                                                                                  • Part of subcall function 02EE7CAC: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 02EE7CDE
                                                                                                                                                                                                                                • __freea.LIBCMT ref: 02EE6B96
                                                                                                                                                                                                                                • __freea.LIBCMT ref: 02EE6BBB
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.3368165895.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_2ed0000_XEAazEoSTmJSOa66cXm6S07v.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1414292761-0
                                                                                                                                                                                                                                • Opcode ID: 0f73ec244de15a6da3a369d6d53f2abaa512a9059a296f3a28781672e1b0d4f4
                                                                                                                                                                                                                                • Instruction ID: 3237214a548b640d1fd0f06faf0dafe03a1ef782100ed3d36acf61af36d73120
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 0f73ec244de15a6da3a369d6d53f2abaa512a9059a296f3a28781672e1b0d4f4
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0551E472A80216ABDF254F64CC90EAF77AEEB64758F159628FD06D7140EB35EC80C750
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 00411A6C Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.3312675882.0000000000400000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_XEAazEoSTmJSOa66cXm6S07v.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: __cftoe
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 4189289331-0
                                                                                                                                                                                                                                • Opcode ID: a485617db110597ec1b9df0d6f289f1fb0bfa04032b722232bc564a93a62f50a
                                                                                                                                                                                                                                • Instruction ID: a06c4f6ae663fca8f796a33128cbcfeb149533fe63f1b311835a711b56a71280
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a485617db110597ec1b9df0d6f289f1fb0bfa04032b722232bc564a93a62f50a
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4951FD72904205ABDF209B699D41EEF77A99F48364F10011FFA15962A2EB3DDD80C65C
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 02EE1CD3 Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.3368165895.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_2ed0000_XEAazEoSTmJSOa66cXm6S07v.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: __cftoe
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 4189289331-0
                                                                                                                                                                                                                                • Opcode ID: e4bf59b0ec1b744cc32f8c0c94128242877339c1908a2c1c4c186e4d7dced7e5
                                                                                                                                                                                                                                • Instruction ID: 225bbe8587d270a3f7c4159913cf7d856c85cafcf9dc6fdf6dadbcc9b6424802
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e4bf59b0ec1b744cc32f8c0c94128242877339c1908a2c1c4c186e4d7dced7e5
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 41511D72940205ABDF346B698C44FBE77A9EF49369F10E219F81FDA190DB71DD80CA60
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 0040C9B5 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • GetLastError.KERNEL32(?,?,0040C9AC,0040A25B), ref: 0040C9C3
                                                                                                                                                                                                                                • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0040C9D1
                                                                                                                                                                                                                                • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0040C9EA
                                                                                                                                                                                                                                • SetLastError.KERNEL32(00000000,?,0040C9AC,0040A25B), ref: 0040CA3C
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.3312675882.0000000000400000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_XEAazEoSTmJSOa66cXm6S07v.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ErrorLastValue___vcrt_
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 3852720340-0
                                                                                                                                                                                                                                • Opcode ID: dda85f426682c11d9b33ef5ba38ffa0ea102861d0ad458e8535b07384916c05f
                                                                                                                                                                                                                                • Instruction ID: 6f2bd147e8afdd7a043ddb4cc032e70cd0d7bbdad2502d4e2c804448eb78ecb9
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: dda85f426682c11d9b33ef5ba38ffa0ea102861d0ad458e8535b07384916c05f
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 3D01F57260D215AEE63857B5BDC5B6B2665DB01378320033FF214B02F0EEBD4C06955C
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 02EDCC1C Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • GetLastError.KERNEL32(?,?,02EDCC13,02EDA4C2), ref: 02EDCC2A
                                                                                                                                                                                                                                • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 02EDCC38
                                                                                                                                                                                                                                • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 02EDCC51
                                                                                                                                                                                                                                • SetLastError.KERNEL32(00000000,?,02EDCC13,02EDA4C2), ref: 02EDCCA3
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.3368165895.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_2ed0000_XEAazEoSTmJSOa66cXm6S07v.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ErrorLastValue___vcrt_
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 3852720340-0
                                                                                                                                                                                                                                • Opcode ID: 830170af9e05d3dbdbf0f1320e03d58499cc30579d0bb48bb262cb75337020d8
                                                                                                                                                                                                                                • Instruction ID: 9af0209c8da1e5698d10d81598534167ea5c6fb7bf3441040aa22a0a57048967
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 830170af9e05d3dbdbf0f1320e03d58499cc30579d0bb48bb262cb75337020d8
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F301D8332893215E962427B5BD88BAB2765EB017B9730BA3FF714950F0EF514C03C944
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 00416D19 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.3312675882.0000000000400000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_XEAazEoSTmJSOa66cXm6S07v.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ErrorLast$_free$_abort
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 3160817290-0
                                                                                                                                                                                                                                • Opcode ID: f96bdeef7c0e3eccb1d63bd3d789de4010dedbd7b57bf7c614ef8227c1c7df8a
                                                                                                                                                                                                                                • Instruction ID: 67229b3f983384f7021419eb0c05c433d1635833c178197dce61a7b79ae5b6d3
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f96bdeef7c0e3eccb1d63bd3d789de4010dedbd7b57bf7c614ef8227c1c7df8a
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E1F0A931784B1026C61177367C09BDF27295FC1765B27092FF518A2291EE7CDCC6815D
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 02EE6F80 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.3368165895.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_2ed0000_XEAazEoSTmJSOa66cXm6S07v.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ErrorLast$_free$_abort
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 3160817290-0
                                                                                                                                                                                                                                • Opcode ID: f96bdeef7c0e3eccb1d63bd3d789de4010dedbd7b57bf7c614ef8227c1c7df8a
                                                                                                                                                                                                                                • Instruction ID: d8b5f894ab45cb9dfe9e8a99298a304287fecb433906f73dd2fbe7f42b9d7eb4
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f96bdeef7c0e3eccb1d63bd3d789de4010dedbd7b57bf7c614ef8227c1c7df8a
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 94F02D716C45112BCF213B766C08F5F361E9BD1735F25E434F527D2190EF608806C926
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 02ED37D6 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 56COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.3368165895.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_2ed0000_XEAazEoSTmJSOa66cXm6S07v.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: H_prolog
                                                                                                                                                                                                                                • String ID: /ping.php?substr=%s$185.172.128.228$Installed$qvB
                                                                                                                                                                                                                                • API String ID: 3519838083-3387484886
                                                                                                                                                                                                                                • Opcode ID: dbdcc093d5ff49b9939fbe79e5565d2d08c15c449c4736c25c3cf056a1d98fb5
                                                                                                                                                                                                                                • Instruction ID: 4ce39ec4d3a4601a0db3db4e3b94b4fb6983a199b264d08ed5037f7ea11d3490
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: dbdcc093d5ff49b9939fbe79e5565d2d08c15c449c4736c25c3cf056a1d98fb5
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0301C072A81515ABD7049F88DC40BAEB7BAFF44714F10916AF808D7241D3B0AA528EE5
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 00417253 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,-@,00000000,00000000,?,004171FA,-@,00000000,00000000,00000000,?,004174B2,00000006,FlsSetValue), ref: 00417285
                                                                                                                                                                                                                                • GetLastError.KERNEL32(?,004171FA,-@,00000000,00000000,00000000,?,004174B2,00000006,FlsSetValue,0042E2F0,FlsSetValue,00000000,00000364,?,00416DEB), ref: 00417291
                                                                                                                                                                                                                                • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,004171FA,-@,00000000,00000000,00000000,?,004174B2,00000006,FlsSetValue,0042E2F0,FlsSetValue,00000000), ref: 0041729F
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.3312675882.0000000000400000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_XEAazEoSTmJSOa66cXm6S07v.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: LibraryLoad$ErrorLast
                                                                                                                                                                                                                                • String ID: -@
                                                                                                                                                                                                                                • API String ID: 3177248105-2564449678
                                                                                                                                                                                                                                • Opcode ID: ca8a45eebd2a79313c9465f68ee09d2646c408a2010e3a78c504b4db5e2a09bb
                                                                                                                                                                                                                                • Instruction ID: 4020431c692cdd365c1edb7e0a14a8f9a79106a1dcbffcc21bafc0d3a38fe4c7
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ca8a45eebd2a79313c9465f68ee09d2646c408a2010e3a78c504b4db5e2a09bb
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 3A012B3674A6229BC7314B699C449DB7BB8AF457B07110676F90AD7240CB38D847C6EC
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 004260E7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 51fileCOMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000004,00000080,00000000), ref: 00426131
                                                                                                                                                                                                                                • WriteFile.KERNEL32(00000000,?,00000400,AWB,00000000), ref: 00426149
                                                                                                                                                                                                                                • CloseHandle.KERNEL32(00000000), ref: 00426152
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.3312675882.0000000000400000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_XEAazEoSTmJSOa66cXm6S07v.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: File$CloseCreateHandleWrite
                                                                                                                                                                                                                                • String ID: /syncUpd.exe$AWB
                                                                                                                                                                                                                                • API String ID: 1065093856-3279009668
                                                                                                                                                                                                                                • Opcode ID: a912db88f114df2c6673003673c4522d4d60e875e8989093ee3ec27779da3b73
                                                                                                                                                                                                                                • Instruction ID: ea454d58db3f570a703faf9f62bcad87da157c20184f63e0e300e902c8c0e078
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a912db88f114df2c6673003673c4522d4d60e875e8989093ee3ec27779da3b73
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D5F0F9B2301631BBD72416A6AC49E6BBB5DEF447A4F41003AF705D3292DA75FC1582AC
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 0040187F Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 39COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 004018C9
                                                                                                                                                                                                                                • std::system_error::system_error.LIBCPMT ref: 004018D8
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.3312675882.0000000000400000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_XEAazEoSTmJSOa66cXm6S07v.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: Exception@8Throwstd::system_error::system_error
                                                                                                                                                                                                                                • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                                                                                                                                                                                • API String ID: 1589814233-1866435925
                                                                                                                                                                                                                                • Opcode ID: e60b9ed89db90c4e39532bb7c6aaac4610bd40bec14260a39e28585c0d896fd8
                                                                                                                                                                                                                                • Instruction ID: e5a36d636a31146743a29846f322d727076c10bf51cb576a0d0ebd87300f877c
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e60b9ed89db90c4e39532bb7c6aaac4610bd40bec14260a39e28585c0d896fd8
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 54F0AFA290035C63DB10B9659802BEA7B989F09358F24803BFD45761E1DA795A04C6ED
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 02ED1AE6 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 39COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 02ED1B30
                                                                                                                                                                                                                                • std::system_error::system_error.LIBCPMT ref: 02ED1B3F
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.3368165895.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_2ed0000_XEAazEoSTmJSOa66cXm6S07v.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: Exception@8Throwstd::system_error::system_error
                                                                                                                                                                                                                                • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                                                                                                                                                                                • API String ID: 1589814233-1866435925
                                                                                                                                                                                                                                • Opcode ID: e60b9ed89db90c4e39532bb7c6aaac4610bd40bec14260a39e28585c0d896fd8
                                                                                                                                                                                                                                • Instruction ID: 2fcc24a3159aa69a217c1bc953c3b76a172b18fa4d73d36af6f945034d9ec451
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e60b9ed89db90c4e39532bb7c6aaac4610bd40bec14260a39e28585c0d896fd8
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 75F0F6B198432CB3CB10A6949C50FE97B999F08390F10E025FD4C6F180E7B55A01C7E8
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 00413A6C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00413A1D,00000003,?,004139BD,00000003,00437D60,0000000C,00413B14,00000003,00000002), ref: 00413A8C
                                                                                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00413A9F
                                                                                                                                                                                                                                • FreeLibrary.KERNEL32(00000000,?,?,?,00413A1D,00000003,?,004139BD,00000003,00437D60,0000000C,00413B14,00000003,00000002,00000000), ref: 00413AC2
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.3312675882.0000000000400000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_XEAazEoSTmJSOa66cXm6S07v.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                                                                                • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                                                                                • API String ID: 4061214504-1276376045
                                                                                                                                                                                                                                • Opcode ID: e9ab9df708068ff77d02737265f27547bccff245a6d09e8574e118d44c2a6cbc
                                                                                                                                                                                                                                • Instruction ID: 7ce0cb3fbee047f4a8559af6233cdb304d6a34e640ed2fcc4eaf65fddaef0d9f
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e9ab9df708068ff77d02737265f27547bccff245a6d09e8574e118d44c2a6cbc
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F0F04431A01118BBDB119F94DC09BDEBFB8EF44752F5540AAF809A2290DF785E85CB9C
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 0041A950 Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.3312675882.0000000000400000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_XEAazEoSTmJSOa66cXm6S07v.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 40cab8f7c20ceae8ae22ba04d2332552c3c05e9d299873fb0615aa8a463a3c1a
                                                                                                                                                                                                                                • Instruction ID: 6ea283d57a609fffab434fde2135b7d270b6c6f02c2325d1109ee2994591e76b
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 40cab8f7c20ceae8ae22ba04d2332552c3c05e9d299873fb0615aa8a463a3c1a
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: AE7129719062969BCB308F94C844AFFBB76FF41360F14022BE91457280D778ACE1C7AA
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 02EEABB7 Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.3368165895.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_2ed0000_XEAazEoSTmJSOa66cXm6S07v.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 40cab8f7c20ceae8ae22ba04d2332552c3c05e9d299873fb0615aa8a463a3c1a
                                                                                                                                                                                                                                • Instruction ID: 16adad05522490a024fdd120a3b1f1c1349e8268cda6fdf72f1f3e235fe2dcb3
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 40cab8f7c20ceae8ae22ba04d2332552c3c05e9d299873fb0615aa8a463a3c1a
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 43719231A802169BCF219F94C884AFFBB75EF42359F14E23DE85267350DB708985CBA1
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 004145CC Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                  • Part of subcall function 00417A45: HeapAlloc.KERNEL32(00000000,?,00000000,?,0041B3A4,00000000,?,00410DD1,?,00000008,?,0041197C,?,?,?), ref: 00417A77
                                                                                                                                                                                                                                • _free.LIBCMT ref: 004146D7
                                                                                                                                                                                                                                • _free.LIBCMT ref: 004146EE
                                                                                                                                                                                                                                • _free.LIBCMT ref: 0041470D
                                                                                                                                                                                                                                • _free.LIBCMT ref: 00414728
                                                                                                                                                                                                                                • _free.LIBCMT ref: 0041473F
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.3312675882.0000000000400000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_XEAazEoSTmJSOa66cXm6S07v.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: _free$AllocHeap
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1835388192-0
                                                                                                                                                                                                                                • Opcode ID: 7e145fb4ba94dc3237958cad872b9e908e7f7c9f1f6bf31c302f80a0328396d6
                                                                                                                                                                                                                                • Instruction ID: 1364ae8c8bed3babfbeb70cadbec98ce06422c2098a54f189f7d31eb1db71690
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7e145fb4ba94dc3237958cad872b9e908e7f7c9f1f6bf31c302f80a0328396d6
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7251E571A00304AFDB20DF65D881BAA77F5EF99728F14056EE809D7690E739ED81CB48
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 02EE4833 Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.3368165895.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_2ed0000_XEAazEoSTmJSOa66cXm6S07v.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: _free$AllocateHeap
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 3033488037-0
                                                                                                                                                                                                                                • Opcode ID: d20824fdcacda83af1664dbc103671d64a4d903058c6e02df8cb7ef10616926c
                                                                                                                                                                                                                                • Instruction ID: d140feb5472b2f11ca77445329f883993024cad2bc73091d4047bb2fbf28b93d
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d20824fdcacda83af1664dbc103671d64a4d903058c6e02df8cb7ef10616926c
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 9051C231A40205AFDF209F69CC80B6A77F5FF58728B149569E90AE7290E731EA01CB44
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 00415063 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.3312675882.0000000000400000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_XEAazEoSTmJSOa66cXm6S07v.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: _free
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 269201875-0
                                                                                                                                                                                                                                • Opcode ID: 57661e68e417e5a0554fbeacdd405e98a6be487f0d2ab815210d62823c981124
                                                                                                                                                                                                                                • Instruction ID: 8cf76a1bb0839b7cd8128bcbec6e1cebe900e569fbfc9cf9c78d37498cff2dcd
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 57661e68e417e5a0554fbeacdd405e98a6be487f0d2ab815210d62823c981124
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B241E032E00700EBCB15DFB9C880ADEB7B5EF89314B1185AAE515EB382D734AD41CB84
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 02EE52CA Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.3368165895.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_2ed0000_XEAazEoSTmJSOa66cXm6S07v.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: _free
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 269201875-0
                                                                                                                                                                                                                                • Opcode ID: 57661e68e417e5a0554fbeacdd405e98a6be487f0d2ab815210d62823c981124
                                                                                                                                                                                                                                • Instruction ID: e827ae4bc09a3164f7d78b218acaa0e068a43bb06e16a111fbd25b2be128df63
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 57661e68e417e5a0554fbeacdd405e98a6be487f0d2ab815210d62823c981124
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A341D336A403009FCF14DF78C880A5DB3B6EF85318F5595A9E916EB395DB71AD01CB80
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 0041B300 Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,0041197C,?,00000000,?,00000001,?,?,00000001,0041197C,?), ref: 0041B34D
                                                                                                                                                                                                                                • __alloca_probe_16.LIBCMT ref: 0041B385
                                                                                                                                                                                                                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0041B3D6
                                                                                                                                                                                                                                • GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00410DD1,?), ref: 0041B3E8
                                                                                                                                                                                                                                • __freea.LIBCMT ref: 0041B3F1
                                                                                                                                                                                                                                  • Part of subcall function 00417A45: HeapAlloc.KERNEL32(00000000,?,00000000,?,0041B3A4,00000000,?,00410DD1,?,00000008,?,0041197C,?,?,?), ref: 00417A77
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.3312675882.0000000000400000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_XEAazEoSTmJSOa66cXm6S07v.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ByteCharMultiWide$AllocHeapStringType__alloca_probe_16__freea
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1857427562-0
                                                                                                                                                                                                                                • Opcode ID: 23a3252cb5aa1ceb9cf1dbfe047612e0e4775c8e4192d68e8df02371e9c4781d
                                                                                                                                                                                                                                • Instruction ID: 9ad45024e657c6c1581d72c25b5196d30cf145d3c6dba1e906db6810fcdec08f
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 23a3252cb5aa1ceb9cf1dbfe047612e0e4775c8e4192d68e8df02371e9c4781d
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0831CE32A0021AABDB248F65CC41DEF7BA5EF40314B05412EFC14E6291EB39DDA5CBD8
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 0041E403 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • GetEnvironmentStringsW.KERNEL32 ref: 0041E40C
                                                                                                                                                                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0041E42F
                                                                                                                                                                                                                                  • Part of subcall function 00417A45: HeapAlloc.KERNEL32(00000000,?,00000000,?,0041B3A4,00000000,?,00410DD1,?,00000008,?,0041197C,?,?,?), ref: 00417A77
                                                                                                                                                                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0041E455
                                                                                                                                                                                                                                • _free.LIBCMT ref: 0041E468
                                                                                                                                                                                                                                • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0041E477
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.3312675882.0000000000400000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_XEAazEoSTmJSOa66cXm6S07v.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ByteCharEnvironmentMultiStringsWide$AllocFreeHeap_free
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 2278895681-0
                                                                                                                                                                                                                                • Opcode ID: d21167a4ec00cfc2ded7cff180726697e6523b003ed2d29391144b3d5a9b389e
                                                                                                                                                                                                                                • Instruction ID: 3801774db5af9eb9c78c35188b4f65337a3fd4a66a09e05ac0132405ac606614
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d21167a4ec00cfc2ded7cff180726697e6523b003ed2d29391144b3d5a9b389e
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C70188766022157B27211A775C4CCBF6A6DDEC6FE4315012EBD08C3200DE788C8685BD
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 02EEE66A Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • GetEnvironmentStringsW.KERNEL32 ref: 02EEE673
                                                                                                                                                                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 02EEE696
                                                                                                                                                                                                                                  • Part of subcall function 02EE7CAC: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 02EE7CDE
                                                                                                                                                                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 02EEE6BC
                                                                                                                                                                                                                                • _free.LIBCMT ref: 02EEE6CF
                                                                                                                                                                                                                                • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 02EEE6DE
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.3368165895.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_2ed0000_XEAazEoSTmJSOa66cXm6S07v.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 336800556-0
                                                                                                                                                                                                                                • Opcode ID: d19c47060a10e2cafe652fe0b9a9a3538350b76910d5e87ed89a6a6c5fab3348
                                                                                                                                                                                                                                • Instruction ID: 6b3608affd5c85b61558fb2ddad549fb3b29b083ec6cf9eb6e6bafecb054268d
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d19c47060a10e2cafe652fe0b9a9a3538350b76910d5e87ed89a6a6c5fab3348
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E90124B27422127B2B3026B65C8CC7F7A2DDAC2AF8309513DBD06C6101DF608C0681B8
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 00416D9D Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • GetLastError.KERNEL32(?,?,?,00412386,004170A0,?,00416D47,00000001,00000364,?,0040E430,?,?,?,0040EB2D,?), ref: 00416DA2
                                                                                                                                                                                                                                • _free.LIBCMT ref: 00416DD7
                                                                                                                                                                                                                                • _free.LIBCMT ref: 00416DFE
                                                                                                                                                                                                                                • SetLastError.KERNEL32(00000000), ref: 00416E0B
                                                                                                                                                                                                                                • SetLastError.KERNEL32(00000000), ref: 00416E14
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.3312675882.0000000000400000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_XEAazEoSTmJSOa66cXm6S07v.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ErrorLast$_free
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 3170660625-0
                                                                                                                                                                                                                                • Opcode ID: 35a4c01cadca9632a23be7e2e88a6bdbc5a2c1ace872e4e8adc61478f88df720
                                                                                                                                                                                                                                • Instruction ID: 590f77e2bb6cf6723b3ae76f6f4a9e52eee2512f3abf58083b79aa59d1bf9a60
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 35a4c01cadca9632a23be7e2e88a6bdbc5a2c1ace872e4e8adc61478f88df720
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 540149363847202B82213676BC45EEB26299BC1374723057FF419A22C2EF7CCC96802C
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 02EE7004 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • GetLastError.KERNEL32(?,?,?,02EE25ED,02EE7307,?,02EE6FAE,00000001,00000364,?,02EDE697,?,?,?,02EDED94,?), ref: 02EE7009
                                                                                                                                                                                                                                • _free.LIBCMT ref: 02EE703E
                                                                                                                                                                                                                                • _free.LIBCMT ref: 02EE7065
                                                                                                                                                                                                                                • SetLastError.KERNEL32(00000000), ref: 02EE7072
                                                                                                                                                                                                                                • SetLastError.KERNEL32(00000000), ref: 02EE707B
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.3368165895.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_2ed0000_XEAazEoSTmJSOa66cXm6S07v.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ErrorLast$_free
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 3170660625-0
                                                                                                                                                                                                                                • Opcode ID: 35a4c01cadca9632a23be7e2e88a6bdbc5a2c1ace872e4e8adc61478f88df720
                                                                                                                                                                                                                                • Instruction ID: 52d265c31924b13319bb9d4594fd1a6fd25e76c7db76f2ffc6aac67cbbfeec80
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 35a4c01cadca9632a23be7e2e88a6bdbc5a2c1ace872e4e8adc61478f88df720
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D501F9762C0A012BCF3277755C84F5FA61FABC1374721B438F527A2190FF74880A8965
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 0041ED6E Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • _free.LIBCMT ref: 0041ED86
                                                                                                                                                                                                                                  • Part of subcall function 0041629A: HeapFree.KERNEL32(00000000,00000000,?,0041F021,?,00000000,?,00000000,?,0041F2C5,?,00000007,?,?,0041F6B9,?), ref: 004162B0
                                                                                                                                                                                                                                  • Part of subcall function 0041629A: GetLastError.KERNEL32(?,?,0041F021,?,00000000,?,00000000,?,0041F2C5,?,00000007,?,?,0041F6B9,?,?), ref: 004162C2
                                                                                                                                                                                                                                • _free.LIBCMT ref: 0041ED98
                                                                                                                                                                                                                                • _free.LIBCMT ref: 0041EDAA
                                                                                                                                                                                                                                • _free.LIBCMT ref: 0041EDBC
                                                                                                                                                                                                                                • _free.LIBCMT ref: 0041EDCE
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.3312675882.0000000000400000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_XEAazEoSTmJSOa66cXm6S07v.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 776569668-0
                                                                                                                                                                                                                                • Opcode ID: e1b2229c170471cad9511440fdbaceac99caba8a87cda5d123aefe47b03668a4
                                                                                                                                                                                                                                • Instruction ID: 4fbf26fd28a8761b677517a124a66282875c94d9b9982584bfc58ae744149868
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e1b2229c170471cad9511440fdbaceac99caba8a87cda5d123aefe47b03668a4
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5FF06232504312EB9E20EF6AF885DDB73E9BA44714355085BF808E7640C778FCC0865C
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 004152B2 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • _free.LIBCMT ref: 004152D0
                                                                                                                                                                                                                                  • Part of subcall function 0041629A: HeapFree.KERNEL32(00000000,00000000,?,0041F021,?,00000000,?,00000000,?,0041F2C5,?,00000007,?,?,0041F6B9,?), ref: 004162B0
                                                                                                                                                                                                                                  • Part of subcall function 0041629A: GetLastError.KERNEL32(?,?,0041F021,?,00000000,?,00000000,?,0041F2C5,?,00000007,?,?,0041F6B9,?,?), ref: 004162C2
                                                                                                                                                                                                                                • _free.LIBCMT ref: 004152E2
                                                                                                                                                                                                                                • _free.LIBCMT ref: 004152F5
                                                                                                                                                                                                                                • _free.LIBCMT ref: 00415306
                                                                                                                                                                                                                                • _free.LIBCMT ref: 00415317
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.3312675882.0000000000400000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_XEAazEoSTmJSOa66cXm6S07v.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 776569668-0
                                                                                                                                                                                                                                • Opcode ID: d2475394655229b87a2a231197a96fb4321ea4f7fd90eb8942919d33dec51e29
                                                                                                                                                                                                                                • Instruction ID: bd3368c0b25b78dbdc1e8abc7373622524bfd2772586a7011706bfb0bee2724c
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d2475394655229b87a2a231197a96fb4321ea4f7fd90eb8942919d33dec51e29
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F3F030B14813208B8A167F16FC415C93B61BB5871931131AFF44956775CB395CA18F8E
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 02EE5519 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • _free.LIBCMT ref: 02EE5537
                                                                                                                                                                                                                                  • Part of subcall function 02EE6501: HeapFree.KERNEL32(00000000,00000000,?,02EEF288,?,00000000,?,00000000,?,02EEF52C,?,00000007,?,?,02EEF920,?), ref: 02EE6517
                                                                                                                                                                                                                                  • Part of subcall function 02EE6501: GetLastError.KERNEL32(?,?,02EEF288,?,00000000,?,00000000,?,02EEF52C,?,00000007,?,?,02EEF920,?,?), ref: 02EE6529
                                                                                                                                                                                                                                • _free.LIBCMT ref: 02EE5549
                                                                                                                                                                                                                                • _free.LIBCMT ref: 02EE555C
                                                                                                                                                                                                                                • _free.LIBCMT ref: 02EE556D
                                                                                                                                                                                                                                • _free.LIBCMT ref: 02EE557E
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.3368165895.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_2ed0000_XEAazEoSTmJSOa66cXm6S07v.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 776569668-0
                                                                                                                                                                                                                                • Opcode ID: d2475394655229b87a2a231197a96fb4321ea4f7fd90eb8942919d33dec51e29
                                                                                                                                                                                                                                • Instruction ID: 4bdba6c950ba4575c7195c391d70b7fb63bddfcccfc9316b04deed2b5e5cab36
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d2475394655229b87a2a231197a96fb4321ea4f7fd90eb8942919d33dec51e29
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: EFF0BEB09902208BCE226F18FC844553B67BB14720311752EF0464237CCF364AA98FCF
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 0041608E Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.3312675882.0000000000400000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_XEAazEoSTmJSOa66cXm6S07v.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID: @
                                                                                                                                                                                                                                • API String ID: 0-2895899722
                                                                                                                                                                                                                                • Opcode ID: eb037faffcbc25224f47b7b172a94a6fa64205ec3c2df8c7b30cae185e3ce1b9
                                                                                                                                                                                                                                • Instruction ID: c5d623140409e6a8d976750a690e768927eb9a43711eccc58faa8c11c80da68b
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: eb037faffcbc25224f47b7b172a94a6fa64205ec3c2df8c7b30cae185e3ce1b9
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C851E1B1D40209ABDB10AFA9C845EEF7BB8AF45314F16015BE804B7292D77CD981CB69
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 004132C3 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exe,00000104), ref: 00413303
                                                                                                                                                                                                                                • _free.LIBCMT ref: 004133CE
                                                                                                                                                                                                                                • _free.LIBCMT ref: 004133D8
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.3312675882.0000000000400000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_XEAazEoSTmJSOa66cXm6S07v.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: _free$FileModuleName
                                                                                                                                                                                                                                • String ID: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exe
                                                                                                                                                                                                                                • API String ID: 2506810119-1046901381
                                                                                                                                                                                                                                • Opcode ID: 7cde11c0b341d83a689c8ac0215e926d985f9273aa0b89270843955781aff3fc
                                                                                                                                                                                                                                • Instruction ID: 1d3d6450662fa2269543f68f0355dd37071cdd96c53fcda0561707c64ab2d40b
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7cde11c0b341d83a689c8ac0215e926d985f9273aa0b89270843955781aff3fc
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4731B371A40218AFCB21DF9A9C819DEBBB8EB84311B1040ABFC14D7210DB788B81CB5D
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 02EE352A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exe,00000104), ref: 02EE356A
                                                                                                                                                                                                                                • _free.LIBCMT ref: 02EE3635
                                                                                                                                                                                                                                • _free.LIBCMT ref: 02EE363F
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.3368165895.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_2ed0000_XEAazEoSTmJSOa66cXm6S07v.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: _free$FileModuleName
                                                                                                                                                                                                                                • String ID: C:\Users\user\Pictures\XEAazEoSTmJSOa66cXm6S07v.exe
                                                                                                                                                                                                                                • API String ID: 2506810119-1046901381
                                                                                                                                                                                                                                • Opcode ID: 7cde11c0b341d83a689c8ac0215e926d985f9273aa0b89270843955781aff3fc
                                                                                                                                                                                                                                • Instruction ID: 8ec4e7c52d8c0915f38afc3de87e9b1da72a16943a5569189f5a595652bb25f4
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7cde11c0b341d83a689c8ac0215e926d985f9273aa0b89270843955781aff3fc
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 773182B1A80258AFDF21DF999C849AEBBFDEB84714F1090A6E40697310DB708A45CF91
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 02ED374A Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 58COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.3368165895.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_2ed0000_XEAazEoSTmJSOa66cXm6S07v.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: H_prolog
                                                                                                                                                                                                                                • String ID: /cpa/ping.php?substr=%s&s=ab&sub=%s$one$qvB
                                                                                                                                                                                                                                • API String ID: 3519838083-855906859
                                                                                                                                                                                                                                • Opcode ID: f5393bbe0179e56c72e8d6aed76511a95c4a66d15052c3b77f8b18530fd2a227
                                                                                                                                                                                                                                • Instruction ID: ad02dca9dcea92bc89fb72e46ded64b78a61fcdd4b3303bd9e38b3cf21719b52
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f5393bbe0179e56c72e8d6aed76511a95c4a66d15052c3b77f8b18530fd2a227
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6D110472A40514BBDB049F88CC40BEEB7BEFF44724F00916AF808D7241D371AA528FA1
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 0040356F Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 56COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.3312675882.0000000000400000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_XEAazEoSTmJSOa66cXm6S07v.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: H_prolog
                                                                                                                                                                                                                                • String ID: /ping.php?substr=%s$185.172.128.228$Installed
                                                                                                                                                                                                                                • API String ID: 3519838083-3380671521
                                                                                                                                                                                                                                • Opcode ID: dbdcc093d5ff49b9939fbe79e5565d2d08c15c449c4736c25c3cf056a1d98fb5
                                                                                                                                                                                                                                • Instruction ID: e528e6f54f7bd6397a7a31987af09de96e2bb5ca05102ccdf4d55b1b8520bb33
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: dbdcc093d5ff49b9939fbe79e5565d2d08c15c449c4736c25c3cf056a1d98fb5
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2301C472A01114BBDB04AF899C41BAEF76DEF85315F10013FF405E3292D3789E5186E9
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 02EF634E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51fileCOMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000004,00000080,00000000), ref: 02EF6398
                                                                                                                                                                                                                                • WriteFile.KERNEL32(00000000,?,00000400,02EF59A8,00000000), ref: 02EF63B0
                                                                                                                                                                                                                                • CloseHandle.KERNEL32(00000000), ref: 02EF63B9
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.3368165895.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_2ed0000_XEAazEoSTmJSOa66cXm6S07v.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: File$CloseCreateHandleWrite
                                                                                                                                                                                                                                • String ID: /syncUpd.exe
                                                                                                                                                                                                                                • API String ID: 1065093856-1956333723
                                                                                                                                                                                                                                • Opcode ID: a912db88f114df2c6673003673c4522d4d60e875e8989093ee3ec27779da3b73
                                                                                                                                                                                                                                • Instruction ID: 5d607ecfc7567128f1ebe597e529a3989bdf32e69c1acc5ef529c19896fa98e5
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a912db88f114df2c6673003673c4522d4d60e875e8989093ee3ec27779da3b73
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E8F0F4B2342221B7D7301AA99C88E5FBA9DEF846A4F005039F726D3191CBB1EC0486F4
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 004261D1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 44fileCOMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000004,00000080,00000000,serversystemNCQ_x64.exe), ref: 00426207
                                                                                                                                                                                                                                • WriteFile.KERNEL32(00000000,?,00000400,00425B7F,00000000), ref: 0042621F
                                                                                                                                                                                                                                • CloseHandle.KERNEL32(00000000), ref: 00426228
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.3312675882.0000000000400000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_XEAazEoSTmJSOa66cXm6S07v.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: File$CloseCreateHandleWrite
                                                                                                                                                                                                                                • String ID: serversystemNCQ_x64.exe
                                                                                                                                                                                                                                • API String ID: 1065093856-4105491473
                                                                                                                                                                                                                                • Opcode ID: 81eeccf449e78c501f1cd1432d73a9a3a23dd028abcdb10082ca37ec707300bb
                                                                                                                                                                                                                                • Instruction ID: e17ace126460657e3681985d0a65b8929ef4349a74fc66e1559dc9d9555c5b24
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 81eeccf449e78c501f1cd1432d73a9a3a23dd028abcdb10082ca37ec707300bb
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A7F0F6B2701231BBD3305AA6AC48E6BBA5DFF44664F41003ABB01D3150CBB5EC11D2F8
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 02EF6438 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 44fileCOMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000004,00000080,00000000,serversystemNCQ_x64.exe), ref: 02EF646E
                                                                                                                                                                                                                                • WriteFile.KERNEL32(00000000,?,00000400,02EF5DE6,00000000), ref: 02EF6486
                                                                                                                                                                                                                                • CloseHandle.KERNEL32(00000000), ref: 02EF648F
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.3368165895.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_2ed0000_XEAazEoSTmJSOa66cXm6S07v.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: File$CloseCreateHandleWrite
                                                                                                                                                                                                                                • String ID: serversystemNCQ_x64.exe
                                                                                                                                                                                                                                • API String ID: 1065093856-4105491473
                                                                                                                                                                                                                                • Opcode ID: 81eeccf449e78c501f1cd1432d73a9a3a23dd028abcdb10082ca37ec707300bb
                                                                                                                                                                                                                                • Instruction ID: 16b5ccc2bb3a6dff7e4881301f187ed688ed4d5f993a600d7091d1da0dde450f
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 81eeccf449e78c501f1cd1432d73a9a3a23dd028abcdb10082ca37ec707300bb
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C5F096B2741221BBD7305AA69C48F5BBA5DFF44568F008035B719D3154DB71EC05D6F4
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 0042615F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40synchronizationCOMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • ShellExecuteExA.SHELL32(?,/BroomSetup.exe), ref: 004261A1
                                                                                                                                                                                                                                • WaitForSingleObject.KERNEL32(?,00008000), ref: 004261B5
                                                                                                                                                                                                                                • CloseHandle.KERNEL32(?), ref: 004261BE
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.3312675882.0000000000400000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_XEAazEoSTmJSOa66cXm6S07v.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: CloseExecuteHandleObjectShellSingleWait
                                                                                                                                                                                                                                • String ID: /BroomSetup.exe
                                                                                                                                                                                                                                • API String ID: 3837156514-1897133622
                                                                                                                                                                                                                                • Opcode ID: faa3531e92f7a28ce8b89843f4620ca73c62c6e16bba268bd3709f44c3ecf90f
                                                                                                                                                                                                                                • Instruction ID: 1e311514b9377177f2af020c61367fd92aa00ac37d84a7ed16a1071a1e85f590
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: faa3531e92f7a28ce8b89843f4620ca73c62c6e16bba268bd3709f44c3ecf90f
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F9018F71E00218EBDF15DF69EC455DDBBB8FF08310F41812AF801A6260EB709A45CF94
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 00417D6F Relevance: 6.3, APIs: 4, Instructions: 305COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.3312675882.0000000000400000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_XEAazEoSTmJSOa66cXm6S07v.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: __alldvrm$_strrchr
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1036877536-0
                                                                                                                                                                                                                                • Opcode ID: 189549fbd5bb4ab0b5dc2d1a196f9afd79985f6d04f47c2d3181048c17836110
                                                                                                                                                                                                                                • Instruction ID: 904abf3455293af5dc28361a3842bc8dfa3977a77267bab69feed652e5be58e7
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 189549fbd5bb4ab0b5dc2d1a196f9afd79985f6d04f47c2d3181048c17836110
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 17A11272A083869FDB218E18C881BEBBBF1EF55354F1441AEE5859B281D63C8982C758
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 02EE7FD6 Relevance: 6.3, APIs: 4, Instructions: 305COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.3368165895.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_2ed0000_XEAazEoSTmJSOa66cXm6S07v.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: __alldvrm$_strrchr
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1036877536-0
                                                                                                                                                                                                                                • Opcode ID: 189549fbd5bb4ab0b5dc2d1a196f9afd79985f6d04f47c2d3181048c17836110
                                                                                                                                                                                                                                • Instruction ID: 7a75555fcf6f4a84602408ccfa02a06db16c6882d842fcf7e9c678d4c7976a03
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 189549fbd5bb4ab0b5dc2d1a196f9afd79985f6d04f47c2d3181048c17836110
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C7A19E719807869FEF15CF58C8907AEBBE1EF15354F14D2ADE9869B2A0C3348D41CB60
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 0042286F Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.3312675882.0000000000400000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_XEAazEoSTmJSOa66cXm6S07v.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: _free
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 269201875-0
                                                                                                                                                                                                                                • Opcode ID: 924813c39a5b03831233b14b3106f787ad6322a7f0d6cd44e75183d026feff34
                                                                                                                                                                                                                                • Instruction ID: 73bae74a26b7ada03dc8fd491e978b67bd9d17df28ded5f6e3a1200ab970dd08
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 924813c39a5b03831233b14b3106f787ad6322a7f0d6cd44e75183d026feff34
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2F411BB1B002207BDB206B7A9D41BEE36A4FF05374F54021BF818D6291DAFC89C19669
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 02EF2AD6 Relevance: 6.2, APIs: 4, Instructions: 152COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.3368165895.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_2ed0000_XEAazEoSTmJSOa66cXm6S07v.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: _free
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 269201875-0
                                                                                                                                                                                                                                • Opcode ID: 3b94825b8aa3832d3ef3165fe941ff5e47c4270fc62a832450709df6769c8b69
                                                                                                                                                                                                                                • Instruction ID: 38cb1b0fd046c624684e22f3effc748779363c8bd9306621a368d1edcc558e14
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3b94825b8aa3832d3ef3165fe941ff5e47c4270fc62a832450709df6769c8b69
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0D416831AC02056BCF616FB88CA4AFE3BAAEF01334F00E215FF1DD6190DB3485418A62
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 02EEB567 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • MultiByteToWideChar.KERNEL32(00000004,00000000,0000007F,0042D740,00000000,00000000,8B56FF8B,02EE4002,?,00000004,00000001,0042D740,0000007F,?,8B56FF8B,00000001), ref: 02EEB5B4
                                                                                                                                                                                                                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 02EEB63D
                                                                                                                                                                                                                                • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 02EEB64F
                                                                                                                                                                                                                                • __freea.LIBCMT ref: 02EEB658
                                                                                                                                                                                                                                  • Part of subcall function 02EE7CAC: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 02EE7CDE
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.3368165895.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_2ed0000_XEAazEoSTmJSOa66cXm6S07v.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 2652629310-0
                                                                                                                                                                                                                                • Opcode ID: 85e830a01370505c20d0c66bcccfbbe4c72d0f29140b44b833c745a57283bd6b
                                                                                                                                                                                                                                • Instruction ID: d1b85bce522c27373968fc92a10220dd1e5e3d7e766f0250a9e3961f6f2c915b
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 85e830a01370505c20d0c66bcccfbbe4c72d0f29140b44b833c745a57283bd6b
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 9431CEB2A0120AABDF248F64DC44DAE7BA6EB40718F05812DFD19DA150EB35C865CB90
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 0040CCA4 Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • ___BuildCatchObject.LIBVCRUNTIME ref: 0040CCBE
                                                                                                                                                                                                                                  • Part of subcall function 0040CC0B: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 0040CC3A
                                                                                                                                                                                                                                  • Part of subcall function 0040CC0B: ___AdjustPointer.LIBCMT ref: 0040CC55
                                                                                                                                                                                                                                • _UnwindNestedFrames.LIBCMT ref: 0040CCD3
                                                                                                                                                                                                                                • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 0040CCE4
                                                                                                                                                                                                                                • CallCatchBlock.LIBVCRUNTIME ref: 0040CD0C
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.3312675882.0000000000400000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_XEAazEoSTmJSOa66cXm6S07v.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 737400349-0
                                                                                                                                                                                                                                • Opcode ID: 47db2c8148be1e88ced26f356c7ddfb08dca30c4f884cb2ff03c50df69916c0c
                                                                                                                                                                                                                                • Instruction ID: 6cd8a4fdf9e309ef40a66346d060796d29459ceaa081db5c793327cde4683266
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 47db2c8148be1e88ced26f356c7ddfb08dca30c4f884cb2ff03c50df69916c0c
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: AA012D72500108BBDF116F96CC81DEB3F69EF98758F044129FE0866261C73AE861DBA4
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 02EDCF0B Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • ___BuildCatchObject.LIBVCRUNTIME ref: 02EDCF25
                                                                                                                                                                                                                                  • Part of subcall function 02EDCE72: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 02EDCEA1
                                                                                                                                                                                                                                  • Part of subcall function 02EDCE72: ___AdjustPointer.LIBCMT ref: 02EDCEBC
                                                                                                                                                                                                                                • _UnwindNestedFrames.LIBCMT ref: 02EDCF3A
                                                                                                                                                                                                                                • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 02EDCF4B
                                                                                                                                                                                                                                • CallCatchBlock.LIBVCRUNTIME ref: 02EDCF73
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.3368165895.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_2ed0000_XEAazEoSTmJSOa66cXm6S07v.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 737400349-0
                                                                                                                                                                                                                                • Opcode ID: 47db2c8148be1e88ced26f356c7ddfb08dca30c4f884cb2ff03c50df69916c0c
                                                                                                                                                                                                                                • Instruction ID: 0ea2c8ee5ae4b58e4e2739d85e426b209b9a8b576d40e758f1bcb3563b250468
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 47db2c8148be1e88ced26f356c7ddfb08dca30c4f884cb2ff03c50df69916c0c
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 42014C72140108BBCF126F96CC40EEB7F6AEF88794F15A015FE0896120D732E862DBA0
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 02EE74BA Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,02EDED94,00000000,00000000,?,02EE7461,02EDED94,00000000,00000000,00000000,?,02EE7719,00000006,0042E2F8), ref: 02EE74EC
                                                                                                                                                                                                                                • GetLastError.KERNEL32(?,02EE7461,02EDED94,00000000,00000000,00000000,?,02EE7719,00000006,0042E2F8,0042E2F0,0042E2F8,00000000,00000364,?,02EE7052), ref: 02EE74F8
                                                                                                                                                                                                                                • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,02EE7461,02EDED94,00000000,00000000,00000000,?,02EE7719,00000006,0042E2F8,0042E2F0,0042E2F8,00000000), ref: 02EE7506
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.3368165895.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_2ed0000_XEAazEoSTmJSOa66cXm6S07v.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: LibraryLoad$ErrorLast
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 3177248105-0
                                                                                                                                                                                                                                • Opcode ID: ca8a45eebd2a79313c9465f68ee09d2646c408a2010e3a78c504b4db5e2a09bb
                                                                                                                                                                                                                                • Instruction ID: a9d54575486c93b536a909be91023237140a4bdb25b7baff6476fe031d3a3e65
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ca8a45eebd2a79313c9465f68ee09d2646c408a2010e3a78c504b4db5e2a09bb
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C20120327927226BCF314B78AC44A97B759AF057A57519934FA07D3140DB20D409C6E4
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 0041293D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • __startOneArgErrorHandling.LIBCMT ref: 004129CD
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.3312675882.0000000000400000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_XEAazEoSTmJSOa66cXm6S07v.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ErrorHandling__start
                                                                                                                                                                                                                                • String ID: pow
                                                                                                                                                                                                                                • API String ID: 3213639722-2276729525
                                                                                                                                                                                                                                • Opcode ID: ba6df8563b8339eb0810a3e9ef2dc3b9b5ce058691c0daabc23001b6b9fc0b5a
                                                                                                                                                                                                                                • Instruction ID: e871ad958d0c3237763a2db945e0d8ca842ad08ee161d37671be5f50051c649b
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ba6df8563b8339eb0810a3e9ef2dc3b9b5ce058691c0daabc23001b6b9fc0b5a
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5C515BB1B5420296C7257719DF813EB2B90EF40750F60496BE085C63E9EB7C8CE6DA4E
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 02EF649C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 149COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • __EH_prolog.LIBCMT ref: 02EF64A1
                                                                                                                                                                                                                                  • Part of subcall function 02ED4073: __EH_prolog.LIBCMT ref: 02ED4078
                                                                                                                                                                                                                                  • Part of subcall function 02ED4073: std::locale::_Init.LIBCPMT ref: 02ED409A
                                                                                                                                                                                                                                • _Deallocate.LIBCONCRT ref: 02EF65F5
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.3368165895.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_2ed0000_XEAazEoSTmJSOa66cXm6S07v.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: H_prolog$DeallocateInitstd::locale::_
                                                                                                                                                                                                                                • String ID: LyB
                                                                                                                                                                                                                                • API String ID: 2389838984-3773714357
                                                                                                                                                                                                                                • Opcode ID: b43d6b7ceb65bfdddc8a4d1d72d1a4e11e7704bb8849fddb18eadf6b27138a00
                                                                                                                                                                                                                                • Instruction ID: 8a10be05a8f80f64bb325f73e5a4620946858cd3405a1673271cc664ca3fa2c8
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: b43d6b7ceb65bfdddc8a4d1d72d1a4e11e7704bb8849fddb18eadf6b27138a00
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4B51AD71A40248DFDB04DFA9C890AEDFBB5FF58304F64922EE506A7242D7709A46CF50
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 0041DDFC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 132COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • GetCPInfo.KERNEL32(?,?,00000005,?,00000000), ref: 0041DE21
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.3312675882.0000000000400000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_XEAazEoSTmJSOa66cXm6S07v.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: Info
                                                                                                                                                                                                                                • String ID: $.A
                                                                                                                                                                                                                                • API String ID: 1807457897-2696116503
                                                                                                                                                                                                                                • Opcode ID: 02f55ba3ac5568e03e9fdbd7b88b41772807cc386f704f7c8a9efdfd3a48f4bf
                                                                                                                                                                                                                                • Instruction ID: c8879a2e2c6f1093175ecb34d3b29c7df1a6cb98fe180daaeb3bdf81d7a36b90
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 02f55ba3ac5568e03e9fdbd7b88b41772807cc386f704f7c8a9efdfd3a48f4bf
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 56410AF190434C9ADB218E248D84BFABBB9DF55304F1404EEE58A97142D23DAA86CF64
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 02EDCA17 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 117COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • ___except_validate_context_record.LIBVCRUNTIME ref: 02EDCA4A
                                                                                                                                                                                                                                • __IsNonwritableInCurrentImage.LIBCMT ref: 02EDCB03
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.3368165895.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_2ed0000_XEAazEoSTmJSOa66cXm6S07v.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: CurrentImageNonwritable___except_validate_context_record
                                                                                                                                                                                                                                • String ID: csm
                                                                                                                                                                                                                                • API String ID: 3480331319-1018135373
                                                                                                                                                                                                                                • Opcode ID: 796a0128d9dbb3bf8459a97561fbccceb7ea0ac6e0ba9330f3f48fee75113795
                                                                                                                                                                                                                                • Instruction ID: 3b85d4b0f553489863dbf5c4533aa78a7b8476beb971ae567e65040ced76eeb1
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 796a0128d9dbb3bf8459a97561fbccceb7ea0ac6e0ba9330f3f48fee75113795
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C341A130A402199BCF10DF68C880AAEBBB5EF45368F24E157E916AB291D771D947CF90
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 0041FD92 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • GetACP.KERNEL32(?,20001004,?,00000002), ref: 0041FE6D
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.3312675882.0000000000400000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_XEAazEoSTmJSOa66cXm6S07v.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID: ACP$OCP
                                                                                                                                                                                                                                • API String ID: 0-711371036
                                                                                                                                                                                                                                • Opcode ID: c6d2c2c3f7c25fabefd8c517707ca918c95a0ca72f85b56e9eba91488959f309
                                                                                                                                                                                                                                • Instruction ID: 649476e1b3bbd5175eaef6faf82ab2916ec2ed690aaaaf30446e18060a09e767
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: c6d2c2c3f7c25fabefd8c517707ca918c95a0ca72f85b56e9eba91488959f309
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6D21F772B04201A6DB308E55D901BE772A69B60B24F568077E90AC7312FB3ADDCA835C
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 02EEFFF9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • GetACP.KERNEL32(?,20001004,?,00000002), ref: 02EF00D4
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.3368165895.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_2ed0000_XEAazEoSTmJSOa66cXm6S07v.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID: ACP$OCP
                                                                                                                                                                                                                                • API String ID: 0-711371036
                                                                                                                                                                                                                                • Opcode ID: c6d2c2c3f7c25fabefd8c517707ca918c95a0ca72f85b56e9eba91488959f309
                                                                                                                                                                                                                                • Instruction ID: 36bca515f3927749d779a2d17ea0de0c2fa4e339cd04ac5959902d4ea66133d6
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: c6d2c2c3f7c25fabefd8c517707ca918c95a0ca72f85b56e9eba91488959f309
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: DD21CB62B81104A6DBB48F54C901B97B266AF40B59F86DC35EB0AD790EFB36DD40C354
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 02EF6266 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 85COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.3368165895.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_2ed0000_XEAazEoSTmJSOa66cXm6S07v.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: H_prolog
                                                                                                                                                                                                                                • String ID: Installed$SOFTWARE\BroomCleaner
                                                                                                                                                                                                                                • API String ID: 3519838083-529226407
                                                                                                                                                                                                                                • Opcode ID: 0c1498eeef2a83cafb83bf210d5a9b90b4b671d1f7746b808874f939b35d2cd9
                                                                                                                                                                                                                                • Instruction ID: 1c3277785c2cdcd24bf8127671885ea2ffc62aeb5c016c94c6990ff4565fc372
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 0c1498eeef2a83cafb83bf210d5a9b90b4b671d1f7746b808874f939b35d2cd9
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: FD31A971A40229EFDB158FA8CC90AFEBB79FB48318F04A12DE902B3251C7710D06CB60
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 02EF60F9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • __EH_prolog.LIBCMT ref: 02EF60FE
                                                                                                                                                                                                                                  • Part of subcall function 02ED1E19: __EH_prolog.LIBCMT ref: 02ED1E1E
                                                                                                                                                                                                                                  • Part of subcall function 02ED266A: __EH_prolog.LIBCMT ref: 02ED266F
                                                                                                                                                                                                                                • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 02EF61E0
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.3368165895.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_2ed0000_XEAazEoSTmJSOa66cXm6S07v.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: H_prolog$Ios_base_dtorstd::ios_base::_
                                                                                                                                                                                                                                • String ID: xB
                                                                                                                                                                                                                                • API String ID: 420165198-2600814558
                                                                                                                                                                                                                                • Opcode ID: 9ab3aaf70d2163a1063e646c5f49d5cb4be0b6ea4cdc2725c479562135cb88ac
                                                                                                                                                                                                                                • Instruction ID: 75bcab3cca3742e4cb9037d03d7da9f3f2a1d922c25466c01cd01d728b6abc7e
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 9ab3aaf70d2163a1063e646c5f49d5cb4be0b6ea4cdc2725c479562135cb88ac
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C531F6B4D41219EBDB14EF94D980AEDF7B5FF48300F10D1AAE815A3640EB746A09CF60
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 02ED33DC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • __EH_prolog.LIBCMT ref: 02ED33E1
                                                                                                                                                                                                                                • std::locale::_Init.LIBCPMT ref: 02ED3428
                                                                                                                                                                                                                                  • Part of subcall function 02ED7FDA: __EH_prolog3.LIBCMT ref: 02ED7FE1
                                                                                                                                                                                                                                  • Part of subcall function 02ED7FDA: std::_Lockit::_Lockit.LIBCPMT ref: 02ED7FEC
                                                                                                                                                                                                                                  • Part of subcall function 02ED7FDA: std::locale::_Setgloballocale.LIBCPMT ref: 02ED8007
                                                                                                                                                                                                                                  • Part of subcall function 02ED7FDA: _Yarn.LIBCPMT ref: 02ED801D
                                                                                                                                                                                                                                  • Part of subcall function 02ED7FDA: std::_Lockit::~_Lockit.LIBCPMT ref: 02ED805D
                                                                                                                                                                                                                                  • Part of subcall function 02ED3651: __EH_prolog.LIBCMT ref: 02ED3656
                                                                                                                                                                                                                                  • Part of subcall function 02ED3651: std::_Lockit::_Lockit.LIBCPMT ref: 02ED3665
                                                                                                                                                                                                                                  • Part of subcall function 02ED3651: int.LIBCPMT ref: 02ED367C
                                                                                                                                                                                                                                  • Part of subcall function 02ED3651: std::locale::_Getfacet.LIBCPMT ref: 02ED3685
                                                                                                                                                                                                                                  • Part of subcall function 02ED3651: std::_Lockit::~_Lockit.LIBCPMT ref: 02ED36CC
                                                                                                                                                                                                                                  • Part of subcall function 02ED1AE6: __CxxThrowException@8.LIBVCRUNTIME ref: 02ED1B30
                                                                                                                                                                                                                                  • Part of subcall function 02ED1AE6: std::system_error::system_error.LIBCPMT ref: 02ED1B3F
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.3368165895.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_2ed0000_XEAazEoSTmJSOa66cXm6S07v.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: Lockitstd::_$std::locale::_$H_prologLockit::_Lockit::~_$Exception@8GetfacetH_prolog3InitSetgloballocaleThrowYarnstd::system_error::system_error
                                                                                                                                                                                                                                • String ID: !vB
                                                                                                                                                                                                                                • API String ID: 372095707-662244105
                                                                                                                                                                                                                                • Opcode ID: 4deb0b62ca6bed2fa6a44367b456c2ab057c0f4f5e284071d2ebbd93a586d0bc
                                                                                                                                                                                                                                • Instruction ID: eb2a181099f8e0ed6cc3f541d9d0c5d2a3085b300a32d6e607fedae8f1e4da21
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 4deb0b62ca6bed2fa6a44367b456c2ab057c0f4f5e284071d2ebbd93a586d0bc
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5A2164B1A00A0AAFD714DF2AC185A99FBF1FB08314F50926EE01997A80D774E965CF94
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 004171B7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,?), ref: 00417217
                                                                                                                                                                                                                                • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00417224
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.3312675882.0000000000400000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_XEAazEoSTmJSOa66cXm6S07v.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: AddressProc__crt_fast_encode_pointer
                                                                                                                                                                                                                                • String ID: -@
                                                                                                                                                                                                                                • API String ID: 2279764990-2564449678
                                                                                                                                                                                                                                • Opcode ID: dc50904c779d9d650c94e7699dac49ecaf35141d5acdb291f08ec5f954601914
                                                                                                                                                                                                                                • Instruction ID: be5354ef9640d5baeda707f88ba0ee7c606e7dd11eb492dad25bcfdc379f5c6d
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: dc50904c779d9d650c94e7699dac49ecaf35141d5acdb291f08ec5f954601914
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E7110633A04120ABAB369E19EC809DB73B9AB843207164272FD15AB344DB34DCC2C6D9
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 004034E3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 58COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.3312675882.0000000000400000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_XEAazEoSTmJSOa66cXm6S07v.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: H_prolog
                                                                                                                                                                                                                                • String ID: /cpa/ping.php?substr=%s&s=ab&sub=%s$one
                                                                                                                                                                                                                                • API String ID: 3519838083-2876206925
                                                                                                                                                                                                                                • Opcode ID: f5393bbe0179e56c72e8d6aed76511a95c4a66d15052c3b77f8b18530fd2a227
                                                                                                                                                                                                                                • Instruction ID: 23fc970319ec432bccea8ea3542248735fa0f2929cdefa52ec0488ef77b85577
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f5393bbe0179e56c72e8d6aed76511a95c4a66d15052c3b77f8b18530fd2a227
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: BD11C232A00014BBDB04AF899C01BAEBB69EF45315F40012FF405A3292D3799A518BA8
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 00402FE5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • __EH_prolog.LIBCMT ref: 00402FEA
                                                                                                                                                                                                                                • std::locale::_Init.LIBCPMT ref: 0040300E
                                                                                                                                                                                                                                  • Part of subcall function 00407D73: __EH_prolog3.LIBCMT ref: 00407D7A
                                                                                                                                                                                                                                  • Part of subcall function 00407D73: std::_Lockit::_Lockit.LIBCPMT ref: 00407D85
                                                                                                                                                                                                                                  • Part of subcall function 00407D73: std::locale::_Setgloballocale.LIBCPMT ref: 00407DA0
                                                                                                                                                                                                                                  • Part of subcall function 00407D73: _Yarn.LIBCPMT ref: 00407DB6
                                                                                                                                                                                                                                  • Part of subcall function 00407D73: std::_Lockit::~_Lockit.LIBCPMT ref: 00407DF6
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.3312675882.0000000000400000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_XEAazEoSTmJSOa66cXm6S07v.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: Lockitstd::_std::locale::_$H_prologH_prolog3InitLockit::_Lockit::~_SetgloballocaleYarn
                                                                                                                                                                                                                                • String ID: T*@
                                                                                                                                                                                                                                • API String ID: 4198646248-2370032326
                                                                                                                                                                                                                                • Opcode ID: fa242de69d7e6d687caa4bf5b119ee0c34448b06913b79c6670ede3c9bbc00ff
                                                                                                                                                                                                                                • Instruction ID: c469f1781f4eb74895915257e237cd09ecdba2ecacf51dc6ab7e16c1717fddcf
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: fa242de69d7e6d687caa4bf5b119ee0c34448b06913b79c6670ede3c9bbc00ff
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F921B0B5A00A06AFC305DF6AD581995FBF8FF49314B40822FE80987B50E774A964CFA4
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 0040436E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • __EH_prolog.LIBCMT ref: 00404373
                                                                                                                                                                                                                                  • Part of subcall function 00403A42: __EH_prolog.LIBCMT ref: 00403A47
                                                                                                                                                                                                                                • __Getcoll.LIBCPMT ref: 004043CF
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.3312675882.0000000000400000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_XEAazEoSTmJSOa66cXm6S07v.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: H_prolog$Getcoll
                                                                                                                                                                                                                                • String ID: u@@
                                                                                                                                                                                                                                • API String ID: 206117190-736001340
                                                                                                                                                                                                                                • Opcode ID: 8ac08cb90d6c8a0e3a8eafc8112a944c2dcf30f0700bdbfcd0b9c4691759611c
                                                                                                                                                                                                                                • Instruction ID: 22f8a194e856adbcf5db44b98b1892bbe0116132472f20e5c64479f843611134
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8ac08cb90d6c8a0e3a8eafc8112a944c2dcf30f0700bdbfcd0b9c4691759611c
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 511170B19012099FCB04EFA9C581A9DBBB4FF84308F10843FE545BB281D7789A44CB95
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 02ED45D5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • __EH_prolog.LIBCMT ref: 02ED45DA
                                                                                                                                                                                                                                  • Part of subcall function 02ED3CA9: __EH_prolog.LIBCMT ref: 02ED3CAE
                                                                                                                                                                                                                                • __Getcoll.LIBCPMT ref: 02ED4636
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.3368165895.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_2ed0000_XEAazEoSTmJSOa66cXm6S07v.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: H_prolog$Getcoll
                                                                                                                                                                                                                                • String ID: cwB
                                                                                                                                                                                                                                • API String ID: 206117190-1299997670
                                                                                                                                                                                                                                • Opcode ID: 8ac08cb90d6c8a0e3a8eafc8112a944c2dcf30f0700bdbfcd0b9c4691759611c
                                                                                                                                                                                                                                • Instruction ID: e07eae84378096e10216d331d90b86ac0429f1b9822bf793aafd2b80957089ab
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8ac08cb90d6c8a0e3a8eafc8112a944c2dcf30f0700bdbfcd0b9c4691759611c
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 37115AB29402099FCB00EFA8D480ADDB7B5FF54714F10D46AE01AAB240D770AA46CFA1
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 02ED1A6D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.3368165895.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_2ed0000_XEAazEoSTmJSOa66cXm6S07v.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: H_prolog
                                                                                                                                                                                                                                • String ID: ?uB$ios_base::failbit set
                                                                                                                                                                                                                                • API String ID: 3519838083-946796157
                                                                                                                                                                                                                                • Opcode ID: 234de090022dfe67052ebfa9b3a4f165bdb172cecaf10e59d262a8163687a49b
                                                                                                                                                                                                                                • Instruction ID: 179010d23342a5e286c324401904a93876e9dba2847e087f9af888083d206a13
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 234de090022dfe67052ebfa9b3a4f165bdb172cecaf10e59d262a8163687a49b
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5401DF72900109AFDB04EF98C480BFDFBB9EF49314F18905EE805AB251D7B45E46CBA4
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 02EF63C6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40synchronizationCOMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • WaitForSingleObject.KERNEL32(?,00008000), ref: 02EF641C
                                                                                                                                                                                                                                • CloseHandle.KERNEL32(?), ref: 02EF6425
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.3368165895.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_2ed0000_XEAazEoSTmJSOa66cXm6S07v.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: CloseHandleObjectSingleWait
                                                                                                                                                                                                                                • String ID: /BroomSetup.exe
                                                                                                                                                                                                                                • API String ID: 528846559-1897133622
                                                                                                                                                                                                                                • Opcode ID: faa3531e92f7a28ce8b89843f4620ca73c62c6e16bba268bd3709f44c3ecf90f
                                                                                                                                                                                                                                • Instruction ID: 7034252c36634f9055eb2fc39abad344ae1775ea799a6d3c25063777f7d4a5ba
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: faa3531e92f7a28ce8b89843f4620ca73c62c6e16bba268bd3709f44c3ecf90f
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0B017C31D01218EBDB15DF69E8445DCBBB8FF48714F40C12AF912A6260EB709645CF90
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 0041A6D4 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000,?), ref: 0041A76A
                                                                                                                                                                                                                                • GetLastError.KERNEL32 ref: 0041A778
                                                                                                                                                                                                                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000), ref: 0041A7D3
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.3312675882.0000000000400000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_XEAazEoSTmJSOa66cXm6S07v.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ByteCharMultiWide$ErrorLast
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1717984340-0
                                                                                                                                                                                                                                • Opcode ID: 796b5502bf3758a62d3774a2a03d829f786e940855c074945e7165fbf0666ef5
                                                                                                                                                                                                                                • Instruction ID: 87839b596d2bb0c5de59c8c1227ac8d795198cb32e80a538f680ccd386729a76
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 796b5502bf3758a62d3774a2a03d829f786e940855c074945e7165fbf0666ef5
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 04410830602246AFCF219F69C944AEF7BB4AF01310F15416AEC6997291DB38CDA2C75A
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 02EEA93B Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000,?), ref: 02EEA9D1
                                                                                                                                                                                                                                • GetLastError.KERNEL32 ref: 02EEA9DF
                                                                                                                                                                                                                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000), ref: 02EEAA3A
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.3368165895.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_2ed0000_XEAazEoSTmJSOa66cXm6S07v.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ByteCharMultiWide$ErrorLast
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1717984340-0
                                                                                                                                                                                                                                • Opcode ID: e2dcd7916019b3a733183e7ba2e3bccfca86bceaf396c0a8a97430b0cc35b528
                                                                                                                                                                                                                                • Instruction ID: 974ae95ce485046cb0502074aa199239bb2a48f29d52239403a26b9558f23caf
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e2dcd7916019b3a733183e7ba2e3bccfca86bceaf396c0a8a97430b0cc35b528
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2C41C030640306AFCF218F64D944BAA7BA5AF41328F15E17DF95EAB3A0DB318905CB64
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Executed Functions

                                                                                                                                                                                                                                Function 00414B04 Relevance: 6.1, APIs: 4, Instructions: 81COMMON
                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • GetVersion.KERNEL32 ref: 00414B2A
                                                                                                                                                                                                                                  • Part of subcall function 004159F8: HeapCreate.KERNELBASE(00000000,00001000,00000000,00414B62,00000001), ref: 00415A09
                                                                                                                                                                                                                                  • Part of subcall function 004159F8: HeapDestroy.KERNEL32 ref: 00415A48
                                                                                                                                                                                                                                • GetCommandLineA.KERNEL32 ref: 00414B8A
                                                                                                                                                                                                                                • GetStartupInfoA.KERNEL32(?), ref: 00414BB5
                                                                                                                                                                                                                                • GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00414BD8
                                                                                                                                                                                                                                  • Part of subcall function 00414C31: ExitProcess.KERNEL32 ref: 00414C4E
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000016.00000002.3317629153.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3317547365.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319610212.000000000041B000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319848544.0000000000420000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319992025.0000000000422000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320051235.0000000000423000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320115346.0000000000427000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_22_2_400000_wjaGPzkDQjpdcbjBR9AwSFKW.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: Heap$CommandCreateDestroyExitHandleInfoLineModuleProcessStartupVersion
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 2057626494-0
                                                                                                                                                                                                                                • Opcode ID: e3a55e15dfbba78f576db0669a4780403b126b59620817d16bca0fbeb85d5517
                                                                                                                                                                                                                                • Instruction ID: b13fe99396feb2249fb7197ea22bdd2eb3a8d4431b5d50e9622b99800ed9eeb5
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e3a55e15dfbba78f576db0669a4780403b126b59620817d16bca0fbeb85d5517
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0721D2B0A44705AFD718AFB6DC46BEE7BB8EF44714F10052FF9009A291DB3C85808A9C
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 004055DE Relevance: 6.1, APIs: 4, Instructions: 59fileCOMMON
                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • __EH_prolog.LIBCMT ref: 004055E3
                                                                                                                                                                                                                                  • Part of subcall function 0040551A: FindClose.KERNELBASE(?,000000FF,0040554B,000000FF), ref: 00405525
                                                                                                                                                                                                                                • FindFirstFileW.KERNELBASE(?,?), ref: 00405611
                                                                                                                                                                                                                                • AreFileApisANSI.KERNEL32(?), ref: 0040563D
                                                                                                                                                                                                                                • FindFirstFileA.KERNEL32(?,?,00000001), ref: 0040565E
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000016.00000002.3317629153.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3317547365.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319610212.000000000041B000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319848544.0000000000420000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319992025.0000000000422000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320051235.0000000000423000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320115346.0000000000427000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_22_2_400000_wjaGPzkDQjpdcbjBR9AwSFKW.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: FileFind$First$ApisCloseH_prolog
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 4121580741-0
                                                                                                                                                                                                                                • Opcode ID: fcb5256250039c908afd196fb8e76c17c38080862ebf91937f58451f3d562862
                                                                                                                                                                                                                                • Instruction ID: 53571c6d670a3437f98eaf3b47711b77fa147e423a783867877babb07b55427d
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: fcb5256250039c908afd196fb8e76c17c38080862ebf91937f58451f3d562862
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: AB21813180050ADFCF11EF60C8459EEBB75EF00329F10476AE4A5B61E1DB399A85CF48
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 0040553A Relevance: 1.5, APIs: 1, Instructions: 24fileCOMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                  • Part of subcall function 0040551A: FindClose.KERNELBASE(?,000000FF,0040554B,000000FF), ref: 00405525
                                                                                                                                                                                                                                • FindFirstFileA.KERNELBASE(?,?,000000FF), ref: 00405559
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000016.00000002.3317629153.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3317547365.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319610212.000000000041B000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319848544.0000000000420000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319992025.0000000000422000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320051235.0000000000423000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320115346.0000000000427000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_22_2_400000_wjaGPzkDQjpdcbjBR9AwSFKW.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: Find$CloseFileFirst
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 2295610775-0
                                                                                                                                                                                                                                • Opcode ID: 4d5417fc6ca074e65557f02866c61fee52306747aaa4eef42dce5467d8724910
                                                                                                                                                                                                                                • Instruction ID: 4d0f5172a85985fc9641596f45f8b0e99eb03685ed3a07152804d04183bf4296
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 4d5417fc6ca074e65557f02866c61fee52306747aaa4eef42dce5467d8724910
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5DE0923040050876CB20BF35DC019EB776AEF11398F104276F955672E5D738D9468F98
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 00401014 Relevance: 56.7, APIs: 12, Strings: 20, Instructions: 692windowsynchronizationCOMMON
                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                control_flow_graph 0 401014-401124 call 401a51 call 402170 * 4 GetCommandLineW call 401c80 call 4038ee call 403a9c call 402170 call 4045e2 call 40235e call 402323 call 401c80 call 401e3a call 403b4f call 403a9c * 2 35 401126-401155 call 401e19 call 401d7a call 403a9c call 40235e call 402323 0->35 36 40115a-401184 call 40243e call 401af4 0->36 35->36 45 401186-401189 36->45 46 40119f-4011cb call 401c80 call 402170 36->46 48 401197-40119a 45->48 49 40118b-401192 call 411093 45->49 62 4014b1-4014d5 call 401ecd call 405298 46->62 63 4011d1-4011f7 call 402155 call 403d5a 46->63 53 4019c4-4019f7 call 403a9c * 6 48->53 49->48 109 4019fa 53->109 78 4014f0-4014fc call 403a76 62->78 79 4014d7-4014da 62->79 80 401212-4012a1 call 401c80 call 404073 call 403a9c call 401c80 call 404073 call 403a9c call 401c80 call 404073 call 403a9c call 403b4f 63->80 81 4011f9-4011fc 63->81 99 401513 78->99 100 4014fe-401511 call 401f0d 78->100 85 4014e8-4014eb 79->85 86 4014dc-4014e3 call 411093 79->86 189 4012a3 80->189 190 4012a9-4012d1 call 401c80 call 404041 call 403a9c 80->190 82 40120a-40120d 81->82 83 4011fe-401205 call 411093 81->83 91 401333-401398 call 4042d6 call 4042ad call 403a9c * 8 82->91 83->82 94 401998-4019c1 call 401a2d call 403a9c * 3 85->94 86->85 91->109 94->53 106 401515-401517 99->106 100->106 112 401519-40151b 106->112 113 40151f-401528 call 408107 106->113 118 4019fc-401a00 109->118 112->113 125 40152a-401536 call 411093 113->125 126 40153b-401583 call 401a03 call 402170 call 402f15 113->126 140 40163e-401640 125->140 156 401585-401588 126->156 157 4015f9-401622 call 403a9c call 401ecd call 405033 SetCurrentDirectoryA 126->157 140->85 145 401646-40164c 140->145 145->85 161 4015f1-4015f4 156->161 162 40158a-40158d 156->162 196 401651-401654 157->196 197 401624-40163d SetCurrentDirectoryA call 403a9c * 2 157->197 166 4018b7-4018cb call 403a9c * 2 161->166 167 401594-4015b7 call 40602f call 401d7a call 403a9c 162->167 168 40158f-401592 162->168 200 4018d3-401935 call 401a2d call 403a9c * 9 166->200 201 4018cd-4018cf 166->201 169 4015bc-4015c1 167->169 168->167 168->169 169->161 178 4015c3-4015c6 169->178 178->161 184 4015c8-4015f0 call 40602f MessageBoxW call 403a9c 178->184 184->161 189->190 235 4012d3-4012e6 call 401d7a 190->235 236 4012eb-4012ee 190->236 202 40165a-401691 call 401a18 196->202 203 40172c-40172f 196->203 197->140 200->118 201->200 222 401693-40169a call 401de3 202->222 223 40169f-4016e4 call 401a18 ShellExecuteExA 202->223 211 401731-40176b call 401d1b call 401a18 call 40587c call 403a9c 203->211 212 401787-4017f9 call 401ce1 call 405d0b call 401c80 call 401e56 call 403a9c * 2 call 401c80 call 401e56 call 403a9c 203->212 211->212 278 40176d-401770 211->278 324 401811-401891 call 402634 call 401a18 call 403a9c GetFileAttributesW 212->324 325 4017fb-40180c call 401db8 call 401de3 212->325 222->223 245 4016e6-4016e9 223->245 246 40170d-401727 call 403a9c * 2 223->246 235->236 242 4012f4-4012f7 236->242 243 40139d-4014ac call 401c80 call 404073 call 401d7a call 403a9c * 2 call 401c80 call 404073 call 401d7a call 403a9c * 2 call 401c80 call 404073 call 402634 call 401d7a call 403a9c * 6 call 4042d6 call 4042ad 236->243 242->243 251 4012fd-40130f MessageBoxW 242->251 243->62 253 4016f7-401708 call 403a9c * 2 245->253 254 4016eb-4016f2 call 411093 245->254 281 40195a-40195e 246->281 251->243 259 401315-401330 call 403a9c * 3 251->259 287 4018ae 253->287 254->253 259->91 279 401776-401782 call 411093 278->279 280 4018af-4018b4 SetCurrentDirectoryA 278->280 279->280 280->166 289 401960-40196e WaitForSingleObject CloseHandle 281->289 290 401974-401990 SetCurrentDirectoryA call 403a9c * 2 281->290 287->280 289->290 290->94 317 401992-401994 290->317 317->94 342 401897-40189a 324->342 343 40193a-401955 CloseHandle call 403a9c 324->343 325->324 345 4018a3-4018a9 call 403a9c 342->345 346 40189c-40189e call 411127 342->346 343->281 345->287 346->345
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                  • Part of subcall function 00401A51: GetVersionExA.KERNEL32(?), ref: 00401A6B
                                                                                                                                                                                                                                • GetCommandLineW.KERNEL32(00000003,00000003,00000003,00000003,?,00000000), ref: 0040108B
                                                                                                                                                                                                                                  • Part of subcall function 004038EE: __EH_prolog.LIBCMT ref: 004038F3
                                                                                                                                                                                                                                  • Part of subcall function 004045E2: __EH_prolog.LIBCMT ref: 004045E7
                                                                                                                                                                                                                                  • Part of subcall function 004045E2: GetModuleFileNameW.KERNEL32(?,?,00000105,00000003,00000000,00000000), ref: 00404618
                                                                                                                                                                                                                                  • Part of subcall function 0040235E: __EH_prolog.LIBCMT ref: 00402363
                                                                                                                                                                                                                                  • Part of subcall function 00402323: __EH_prolog.LIBCMT ref: 00402328
                                                                                                                                                                                                                                  • Part of subcall function 00403D5A: __EH_prolog.LIBCMT ref: 00403D5F
                                                                                                                                                                                                                                • MessageBoxW.USER32(00000000,?,?,00000010), ref: 004015DF
                                                                                                                                                                                                                                • SetCurrentDirectoryA.KERNELBASE(?,?,00000001,?,?,00000003,00000003,0042023C,;!@InstallEnd@!,?,00000003,00000000,00000002,00420274,00000003,?), ref: 0040161E
                                                                                                                                                                                                                                • SetCurrentDirectoryA.KERNEL32(?,?,00000000), ref: 00401627
                                                                                                                                                                                                                                • ShellExecuteExA.SHELL32(0000003C,?,00000000), ref: 004016D7
                                                                                                                                                                                                                                • MessageBoxW.USER32(00000000,?,?,00000024), ref: 00401306
                                                                                                                                                                                                                                  • Part of subcall function 00411093: MessageBoxW.USER32(00000000,?,7-Zip,00000010), ref: 0041109C
                                                                                                                                                                                                                                  • Part of subcall function 00402F15: __EH_prolog.LIBCMT ref: 00402F1A
                                                                                                                                                                                                                                • SetCurrentDirectoryA.KERNEL32(?,?,00000000), ref: 004018B2
                                                                                                                                                                                                                                • CloseHandle.KERNEL32(?,?,00000000), ref: 00401940
                                                                                                                                                                                                                                • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000), ref: 00401965
                                                                                                                                                                                                                                • CloseHandle.KERNEL32(?,?,00000000), ref: 0040196E
                                                                                                                                                                                                                                • SetCurrentDirectoryA.KERNEL32(?,?,00000000), ref: 00401977
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000016.00000002.3317629153.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3317547365.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319610212.000000000041B000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319848544.0000000000420000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319992025.0000000000422000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320051235.0000000000423000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320115346.0000000000427000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_22_2_400000_wjaGPzkDQjpdcbjBR9AwSFKW.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: H_prolog$CurrentDirectory$Message$CloseHandle$CommandExecuteFileLineModuleNameObjectShellSingleVersionWait
                                                                                                                                                                                                                                • String ID: $%%T$%%T\$;!@Install@!UTF-8!$;!@InstallEnd@!$<$> @$Can not create temp folder archive$Can not find setup.exe$Can not load codecs$Can not open file$Can't load config info$Config failed$D$Directory$ExecuteFile$ExecuteParameters$RunProgram$Title$setup.exe
                                                                                                                                                                                                                                • API String ID: 2760820266-829806607
                                                                                                                                                                                                                                • Opcode ID: 2ae731fc3f4a3823738156fd9143628e005fdebe6c7a76c6afd666806b1dc003
                                                                                                                                                                                                                                • Instruction ID: 30a6e78c0a87ce65c61bf6c489231b06ab30573cf11c386798d37ebdc1e5dfdc
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 2ae731fc3f4a3823738156fd9143628e005fdebe6c7a76c6afd666806b1dc003
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 57524971D002199ADF21EFA1DC85AEEBB75BF04318F1040BFE149761A2DB395A85CF58
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 0040AD19 Relevance: 14.2, APIs: 9, Instructions: 682COMMON
                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                control_flow_graph 372 40ad19-40ad3d call 413954 call 40d7cc 377 40ad43-40ad79 call 402155 call 413310 call 40640d 372->377 378 40b2d7-40b2dc 372->378 386 40ae60-40ae97 call 40acc4 call 40b99b call 40b63c 377->386 387 40ad7f 377->387 379 40b605-40b613 378->379 402 40aeb6-40aec6 call 4042d6 386->402 403 40ae99-40aeb0 call 40b753 386->403 388 40ad82-40ad8c call 403a76 387->388 395 40ad9c 388->395 396 40ad8e-40ad9a 388->396 398 40ad9e-40ada3 395->398 396->398 400 40ada5-40ada7 398->400 401 40adab-40add6 call 403a76 398->401 400->401 410 40add8-40ade8 401->410 411 40adea 401->411 413 40aed1-40aed5 402->413 414 40aec8-40aece 402->414 403->402 412 40b071-40b087 403->412 415 40adec-40adf1 410->415 411->415 425 40b08d-40b090 412->425 426 40b4bf-40b4e1 call 40a402 412->426 416 40aed7-40aeeb call 403a76 413->416 417 40af18-40af2a 413->417 414->413 418 40adf3-40adf5 415->418 419 40adf9-40ae32 call 40640d call 40a5e4 415->419 429 40aef6 416->429 430 40aeed-40aef4 call 40b860 416->430 434 40af73-40af79 417->434 435 40af2c-40af6e call 4042ad call 4099bc DeleteCriticalSection call 403800 417->435 418->419 448 40ae34-40ae36 419->448 449 40ae3a-40ae40 419->449 433 40b093-40b0c8 425->433 444 40b4e3-40b4e9 426->444 445 40b4ec-40b4ef 426->445 438 40aef8-40af0c call 40640d 429->438 430->438 461 40b0f3-40b0f9 433->461 462 40b0ca-40b0d3 433->462 440 40b05f-40b06e call 40b96f 434->440 441 40af7f-40afac call 4063bd 434->441 504 40b535-40b549 call 4042d6 call 4042ad 435->504 468 40af13 438->468 469 40af0e-40af11 438->469 440->412 470 40afb2-40afbd 441->470 471 40b197-40b1a0 441->471 444->445 454 40b4f1-40b533 call 4042ad call 4099bc DeleteCriticalSection call 403800 445->454 455 40b54e-40b57e call 4032a8 call 404327 445->455 448->449 459 40ae42-40ae44 449->459 460 40ae48-40ae57 449->460 454->504 519 40b580-40b597 call 4039df 455->519 520 40b599-40b5b9 call 409cc8 455->520 459->460 460->388 472 40ae5d 460->472 465 40b101-40b149 call 4032a8 * 2 call 404327 * 2 461->465 466 40b0fb-40b0fd 461->466 473 40b382-40b388 462->473 474 40b0d9-40b0ea 462->474 575 40b163-40b169 465->575 576 40b14b-40b161 call 4039df 465->576 466->465 477 40af15 468->477 469->477 480 40afeb-40afef 470->480 481 40afbf-40afc3 470->481 482 40b1a2-40b1a4 471->482 483 40b1a8-40b1b1 471->483 472->386 484 40b390-40b3d7 call 4042ad call 4099bc DeleteCriticalSection call 403800 473->484 485 40b38a-40b38c 473->485 497 40b0f0 474->497 498 40b3d9-40b3e2 474->498 477->417 487 40b270-40b279 480->487 488 40aff5-40b004 call 40640d 480->488 481->480 493 40afc5-40afca 481->493 482->483 494 40b1b3-40b1b5 483->494 495 40b1b9-40b1fd call 4042ad call 4099bc DeleteCriticalSection call 403800 483->495 561 40b42c-40b442 call 4042d6 call 4042ad 484->561 485->484 502 40b281-40b2d2 call 4042ad call 4099bc DeleteCriticalSection call 403800 call 4042d6 call 4042ad 487->502 503 40b27b-40b27d 487->503 525 40b011-40b026 call 40bab0 488->525 526 40b006-40b00c call 40a0de 488->526 506 40afd0-40afdc call 40640d 493->506 507 40b202-40b20b 493->507 494->495 495->504 497->461 511 40b3e4-40b3e6 498->511 512 40b3ea-40b425 call 4042ad call 4099bc DeleteCriticalSection call 403800 498->512 502->378 503->502 568 40b603 504->568 506->525 549 40afde-40afe9 call 40a0b9 506->549 514 40b216-40b21c 507->514 515 40b20d-40b213 507->515 511->512 512->561 528 40b224-40b26b call 4042ad call 4099bc DeleteCriticalSection call 403800 514->528 529 40b21e-40b220 514->529 515->514 519->520 548 40b5bc-40b5fe call 4042ad * 2 call 4099bc call 40b845 call 40a5ac 520->548 564 40b028-40b02a 525->564 565 40b02e-40b037 525->565 526->525 528->504 529->528 548->568 549->525 561->379 564->565 573 40b039-40b03b 565->573 574 40b03f-40b048 565->574 568->379 573->574 583 40b050-40b059 574->583 584 40b04a-40b04c 574->584 586 40b33a-40b36e call 4042ad * 2 575->586 587 40b16f 575->587 576->575 583->440 583->441 584->583 586->433 627 40b374-40b379 586->627 594 40b172-40b179 587->594 599 40b2e5 594->599 600 40b17f 594->600 603 40b2e8-40b2ea 599->603 605 40b182-40b184 600->605 607 40b2f8-40b2ff 603->607 608 40b2ec-40b2f6 603->608 610 40b2e1-40b2e3 605->610 611 40b18a-40b190 605->611 614 40b310 607->614 615 40b301 607->615 613 40b31e-40b334 call 4039df 608->613 610->603 611->605 617 40b192 611->617 613->586 613->594 619 40b313-40b315 614->619 618 40b304-40b306 615->618 617->599 622 40b308-40b30e 618->622 623 40b37e-40b380 618->623 624 40b447-40b4ba call 4042ad * 3 call 4099bc DeleteCriticalSection call 403800 call 4042d6 call 4042ad 619->624 625 40b31b 619->625 622->614 622->618 623->619 624->379 625->613 627->426
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • __EH_prolog.LIBCMT ref: 0040AD1E
                                                                                                                                                                                                                                  • Part of subcall function 0040D7CC: __EH_prolog.LIBCMT ref: 0040D7D1
                                                                                                                                                                                                                                  • Part of subcall function 00413310: InitializeCriticalSection.KERNEL32(?,?,?,00000000,00000000), ref: 0041333E
                                                                                                                                                                                                                                • DeleteCriticalSection.KERNEL32(?), ref: 0040AF52
                                                                                                                                                                                                                                • DeleteCriticalSection.KERNEL32(?), ref: 0040B1DF
                                                                                                                                                                                                                                • DeleteCriticalSection.KERNEL32(?), ref: 0040B24A
                                                                                                                                                                                                                                • DeleteCriticalSection.KERNEL32(?), ref: 0040B2A7
                                                                                                                                                                                                                                • DeleteCriticalSection.KERNEL32(?), ref: 0040B3B6
                                                                                                                                                                                                                                • DeleteCriticalSection.KERNEL32(?), ref: 0040B410
                                                                                                                                                                                                                                • DeleteCriticalSection.KERNEL32(?,?,?,00000004,00000004), ref: 0040B485
                                                                                                                                                                                                                                • DeleteCriticalSection.KERNEL32(?), ref: 0040B517
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000016.00000002.3317629153.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3317547365.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319610212.000000000041B000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319848544.0000000000420000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319992025.0000000000422000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320051235.0000000000423000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320115346.0000000000427000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_22_2_400000_wjaGPzkDQjpdcbjBR9AwSFKW.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: CriticalSection$Delete$H_prolog$Initialize
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 3452124646-0
                                                                                                                                                                                                                                • Opcode ID: 5f6b8a8cdbdc89edeaeca9fb6a48680f4fe42b6689f54ac84f6a401f85157967
                                                                                                                                                                                                                                • Instruction ID: 06aa0bffc57edc8446930be4fb3d3ecc4288fdccd94c57135405988f21593cb0
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5f6b8a8cdbdc89edeaeca9fb6a48680f4fe42b6689f54ac84f6a401f85157967
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5D625E7090024ADFDB14DFA4C944BDDBBB4EF14308F1480AEE815B72D2DB789A49DB99
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 004059B3 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62fileCOMMON
                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • __EH_prolog.LIBCMT ref: 004059B8
                                                                                                                                                                                                                                • AreFileApisANSI.KERNEL32(?,?,00000000,00000003,?,00000000,?,00000000), ref: 004059DC
                                                                                                                                                                                                                                  • Part of subcall function 0040597A: CreateFileA.KERNEL32(?,00000001,?,00000000,?,?,00000000,?,KA,00405A0D,?,?,?,KA,?,00000001), ref: 0040599C
                                                                                                                                                                                                                                • CreateFileW.KERNELBASE(?,?,?,00000000,KA,?,00000000,?,00000000,00000003,?,00000000,?,00000000), ref: 00405A41
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000016.00000002.3317629153.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3317547365.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319610212.000000000041B000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319848544.0000000000420000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319992025.0000000000422000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320051235.0000000000423000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320115346.0000000000427000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_22_2_400000_wjaGPzkDQjpdcbjBR9AwSFKW.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: File$Create$ApisH_prolog
                                                                                                                                                                                                                                • String ID: KA
                                                                                                                                                                                                                                • API String ID: 1948390111-4133974868
                                                                                                                                                                                                                                • Opcode ID: f88b55b959810e929b2353b4b1d1eb61229a220c48e216d77a80ee84dd8b33a8
                                                                                                                                                                                                                                • Instruction ID: 6ceee1153368ae3910bf8b124445a1a72b78f4c7609cf7ab69cd6f34e54ac91e
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f88b55b959810e929b2353b4b1d1eb61229a220c48e216d77a80ee84dd8b33a8
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E0118E72A00109EFCF01AFA4D8818DE7F76EF08318F10412AF512B21A1CB398A65DF94
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 00408524 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 328COMMON
                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                control_flow_graph 719 408524-40853c call 413954 722 408546-408579 call 40455d call 402170 719->722 723 40853e-408544 719->723 729 4085c5-4085dd call 4032a8 722->729 730 40857b-40857e 722->730 723->722 736 4085ef-4085f9 729->736 737 4085df-4085ed call 4039df 729->737 732 408582-408586 730->732 734 408590-408594 732->734 735 408588-40858a 732->735 740 408599-40859b 734->740 738 408596 735->738 739 40858c-40858e 735->739 742 4085fb-40860c call 4088ce 736->742 743 40863c-408640 736->743 753 40865e-408664 737->753 738->740 739->732 740->729 744 40859d-4085c4 call 401e19 call 401d7a call 403a9c 740->744 755 40862d-408631 call 4039df 742->755 756 40860e-40862b call 404407 742->756 746 408642-408646 743->746 747 40865c 743->747 744->729 751 408652-408657 call 4042eb 746->751 752 408648-40864d 746->752 747->753 751->747 758 408736-408755 call 4042ad call 403a9c * 2 752->758 760 408733-408735 753->760 761 40866a-40866f 753->761 770 408636-40863a 755->770 756->770 784 408756-408764 758->784 760->758 766 408671-408678 call 4065b2 761->766 767 408683-4086ad call 40640d 761->767 772 40867b-40867d 766->772 781 4086b5-4086b8 767->781 782 4086af-4086b3 767->782 770->742 770->743 772->767 776 408767-408769 772->776 776->758 786 4086d0-4086ea 781->786 787 4086ba-4086c7 781->787 785 408724-40872d 782->785 785->760 785->761 791 40876b-408774 786->791 792 4086ec-408701 786->792 850 4086c8 call 40df69 787->850 851 4086c8 call 40d1ab 787->851 788 4086cb-4086ce 790 408709-40870d 788->790 795 4087a1-4087a4 790->795 796 408713-40871c 790->796 793 408776-408778 791->793 794 40877c-40879f call 4042ad call 403a9c * 2 791->794 792->790 802 408703-408705 792->802 793->794 794->784 800 4087a6-4087af 795->800 801 4087bf-4087de 795->801 796->785 798 40871e-408720 796->798 798->785 804 4087b1-4087b3 800->804 805 4087b7-4087ba 800->805 808 4087e0-4087e8 801->808 809 4087f8-40881b call 405e34 call 40640d 801->809 802->790 804->805 805->758 811 4087ea 808->811 812 4087ef-4087f3 call 401d1b 808->812 820 408879-408886 call 4088ce 809->820 821 40881d-408877 call 401c80 * 2 call 407d82 call 401d7a call 403a9c * 3 809->821 811->812 812->809 827 408888 820->827 828 40888a-4088b5 call 407d82 call 401d7a call 403a9c 820->828 842 4088b6-4088bf 821->842 827->828 828->842 844 4088c1-4088c3 842->844 845 4088c7-4088c9 842->845 844->845 845->758 850->788 851->788
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000016.00000002.3317629153.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3317547365.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319610212.000000000041B000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319848544.0000000000420000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319992025.0000000000422000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320051235.0000000000423000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320115346.0000000000427000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_22_2_400000_wjaGPzkDQjpdcbjBR9AwSFKW.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: H_prolog
                                                                                                                                                                                                                                • String ID: 83B$Unknown error
                                                                                                                                                                                                                                • API String ID: 3519838083-1944086607
                                                                                                                                                                                                                                • Opcode ID: 4eafd060168cf62d967f11a2e06bed2b646f89a5601815e0617f26fec8bbc86a
                                                                                                                                                                                                                                • Instruction ID: d43b38567734cbd3d280cef04a8de17ccbe463ec1fdb7709e9180388f705ec22
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 4eafd060168cf62d967f11a2e06bed2b646f89a5601815e0617f26fec8bbc86a
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A5D17070900259EFCF05DFA4C944ADEBB74BF14318F20846EF845BB291CB78AA45CB95
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 00408F0A Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 206COMMON
                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • __EH_prolog.LIBCMT ref: 00408F0F
                                                                                                                                                                                                                                • GetLastError.KERNEL32(?,00000003,00000003,00000003,?,?,00000000), ref: 00408FD3
                                                                                                                                                                                                                                  • Part of subcall function 00409184: __EH_prolog.LIBCMT ref: 00409189
                                                                                                                                                                                                                                  • Part of subcall function 004092E9: __EH_prolog.LIBCMT ref: 004092EE
                                                                                                                                                                                                                                  • Part of subcall function 00408A3B: __EH_prolog.LIBCMT ref: 00408A40
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000016.00000002.3317629153.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3317547365.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319610212.000000000041B000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319848544.0000000000420000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319992025.0000000000422000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320051235.0000000000423000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320115346.0000000000427000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_22_2_400000_wjaGPzkDQjpdcbjBR9AwSFKW.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: H_prolog$ErrorLast
                                                                                                                                                                                                                                • String ID: KA
                                                                                                                                                                                                                                • API String ID: 2901101390-4133974868
                                                                                                                                                                                                                                • Opcode ID: b6f1e9e35d0993485aac3e7f0f886f6fddc444a62bfdbd27778ba704e600b33b
                                                                                                                                                                                                                                • Instruction ID: 1ffdda1e280707f1620b0bff2a1c5a648dc862d45b7bd7d33f28712355ced64d
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: b6f1e9e35d0993485aac3e7f0f886f6fddc444a62bfdbd27778ba704e600b33b
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7C81677190020AABCF01EFA5C885ADEBBB5BF18318F14416EF455B32A2CB399A05CB54
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 004049DD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 179COMMON
                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                control_flow_graph 935 4049dd-404a02 call 413954 call 401c80 940 404a04-404a07 935->940 941 404a4a-404a59 call 401ce1 935->941 943 404a0b-404a0e 940->943 947 404a5d-404a67 call 40499c 941->947 945 404a10-404a12 943->945 946 404a18-404a1c 943->946 948 404a14-404a16 945->948 949 404a1e 945->949 950 404a21-404a23 946->950 955 404b42-404b49 call 401d7a 947->955 956 404a6d-404a78 GetLastError 947->956 948->943 949->950 950->941 952 404a25-404a2a 950->952 952->941 954 404a2c-404a2f 952->954 957 404a31-404a36 954->957 958 404a3f-404a45 call 4023ee 954->958 968 404b4e-404b51 955->968 961 404aea-404afc call 402ee1 call 405841 956->961 962 404a7a-404a7f 956->962 957->958 959 404a38-404a3a 957->959 958->941 964 404bc0-404bc6 call 403a9c 959->964 988 404b01-404b03 961->988 965 404bb2 962->965 966 404a85-404a88 962->966 985 404bc7-404bd7 964->985 969 404bb4-404bbf call 403a9c 965->969 973 404a8c-404a8f 966->973 970 404b57-404b5a 968->970 971 404bd8-404bda 968->971 969->964 976 404b5e-404b64 970->976 971->969 978 404a91-404a93 973->978 979 404a99-404a9f 973->979 983 404b66-404b69 976->983 984 404b6f-404b75 976->984 986 404aa1 978->986 987 404a95-404a97 978->987 981 404aa4-404aa6 979->981 981->965 991 404aac 981->991 992 404b77 983->992 993 404b6b-404b6d 983->993 994 404b7a-404b7c 984->994 986->981 987->973 989 404b05-404b07 988->989 990 404b09-404b11 988->990 995 404b15-404b30 call 403a9c * 3 989->995 996 404b13 990->996 997 404b35-404b41 call 403a9c 990->997 991->965 998 404ab2-404ab8 991->998 992->994 993->976 999 404b81-404bb0 call 401e3a call 40499c call 403a9c 994->999 1000 404b7e 994->1000 995->985 996->995 997->955 998->965 1002 404abe-404ae5 call 401e3a call 401d7a call 403a9c 998->1002 999->965 999->968 1000->999 1002->947
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • __EH_prolog.LIBCMT ref: 004049E2
                                                                                                                                                                                                                                • GetLastError.KERNEL32(?,?,?,?,00000000), ref: 00404A6D
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000016.00000002.3317629153.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3317547365.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319610212.000000000041B000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319848544.0000000000420000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319992025.0000000000422000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320051235.0000000000423000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320115346.0000000000427000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_22_2_400000_wjaGPzkDQjpdcbjBR9AwSFKW.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ErrorH_prologLast
                                                                                                                                                                                                                                • String ID: KA
                                                                                                                                                                                                                                • API String ID: 1057991267-4133974868
                                                                                                                                                                                                                                • Opcode ID: 17c35cf8e9a7414348f32529b6738b26766f9c2a34e08f9ad75d03fbdc4fbc32
                                                                                                                                                                                                                                • Instruction ID: ea88e0dbf276ed2b61ac96949af9a946984d9cda694903235269fb2a0f105987
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 17c35cf8e9a7414348f32529b6738b26766f9c2a34e08f9ad75d03fbdc4fbc32
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 14512671A4010A9ACF10EBA0C945AFFBB74EF91318F14017BE601732D1D779AE46CB99
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 00401AF4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 132COMMON
                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                control_flow_graph 1022 401af4-401b2e call 413954 call 413cc0 call 405b6d 1029 401b30-401b3e call 405975 1022->1029 1030 401b43-401b49 1022->1030 1038 401c6b-401c78 1029->1038 1032 401b57-401b60 1030->1032 1033 401b4b-401b55 1030->1033 1034 401b62-401b6c 1032->1034 1035 401b6e-401b7b 1032->1035 1033->1032 1033->1033 1034->1034 1034->1035 1037 401b7f-401b96 call 405bca 1035->1037 1040 401b9b-401b9d 1037->1040 1041 401ba3-401ba8 1040->1041 1042 401c5a 1040->1042 1043 401c56-401c58 1041->1043 1044 401bae-401bb0 1041->1044 1045 401c5c-401c6a call 405975 1042->1045 1043->1045 1046 401bb6-401bbc 1044->1046 1045->1038 1048 401bf0-401bf5 1046->1048 1049 401bbe-401bc3 1046->1049 1051 401c16-401c3b call 413980 1048->1051 1052 401bf7-401c08 call 4134d0 1048->1052 1049->1051 1053 401bc5-401bd6 call 4134d0 1049->1053 1062 401c4a-401c54 1051->1062 1063 401c3d-401c44 1051->1063 1060 401c0a-401c14 1052->1060 1061 401bec-401bee 1052->1061 1053->1043 1064 401bd8-401bdf 1053->1064 1060->1046 1061->1046 1062->1045 1063->1062 1065 401b7d 1063->1065 1064->1042 1066 401be1-401be7 call 401ee5 1064->1066 1065->1037 1066->1061
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000016.00000002.3317629153.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3317547365.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319610212.000000000041B000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319848544.0000000000420000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319992025.0000000000422000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320051235.0000000000423000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320115346.0000000000427000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_22_2_400000_wjaGPzkDQjpdcbjBR9AwSFKW.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: H_prolog
                                                                                                                                                                                                                                • String ID: KA$KA
                                                                                                                                                                                                                                • API String ID: 3519838083-594506476
                                                                                                                                                                                                                                • Opcode ID: 5b0f55770afa12d36702e97ef3d2b3e48a7f6e08a164a6161b21258ea26ce881
                                                                                                                                                                                                                                • Instruction ID: 3866b3b7da3d7396f9922ec017f7e66c93d936b9f161a27d318f0a0663603341
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5b0f55770afa12d36702e97ef3d2b3e48a7f6e08a164a6161b21258ea26ce881
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7451CF72D042199FDF11DFA4C940BEEBBB4AF05394F14416AE851732E2E3789E85CB68
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 0040DD8B Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 156COMMON
                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                control_flow_graph 1068 40dd8b-40ddb0 call 413954 call 40776f 1073 40ddb6-40ddbf call 40df2c 1068->1073 1074 40df1b-40df29 1068->1074 1077 40ddc1-40ddc3 1073->1077 1078 40ddc8-40ddfe call 4076d5 call 414090 1073->1078 1077->1074 1083 40de01-40de06 1078->1083 1084 40de25-40de47 call 406505 1083->1084 1085 40de08-40de15 1083->1085 1092 40df07 1084->1092 1093 40de4d-40de55 1084->1093 1086 40decb-40dece 1085->1086 1087 40de1b 1085->1087 1088 40df09-40df19 call 403a9c 1086->1088 1087->1084 1089 40de1d-40de1f 1087->1089 1088->1074 1089->1084 1089->1086 1092->1088 1093->1086 1095 40de57-40de5b 1093->1095 1095->1084 1096 40de5d-40de6d 1095->1096 1097 40dec6-40dec9 1096->1097 1098 40de6f 1096->1098 1099 40deaa-40dec1 call 413980 1097->1099 1100 40de77 1098->1100 1099->1083 1101 40de7a-40de7e 1100->1101 1104 40de80-40de82 1101->1104 1105 40de8a 1101->1105 1106 40de84-40de88 1104->1106 1107 40de8c 1104->1107 1105->1107 1106->1101 1107->1099 1108 40de8e-40de97 call 40df2c 1107->1108 1111 40ded0-40df04 call 414090 call 4065b2 1108->1111 1112 40de99-40dea2 1108->1112 1111->1092 1114 40de71-40de74 1112->1114 1115 40dea4-40dea7 1112->1115 1114->1100 1115->1099
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000016.00000002.3317629153.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3317547365.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319610212.000000000041B000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319848544.0000000000420000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319992025.0000000000422000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320051235.0000000000423000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320115346.0000000000427000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_22_2_400000_wjaGPzkDQjpdcbjBR9AwSFKW.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: H_prolog
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 3519838083-3916222277
                                                                                                                                                                                                                                • Opcode ID: 74d497e127491c222f436ed49dfb2d2edc1529cc02750c3a0fcf17e54ab28a3b
                                                                                                                                                                                                                                • Instruction ID: cf89379ab294d4739916b9706e3dd1d7b183837ff3903d8a06049ba810aa014c
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 74d497e127491c222f436ed49dfb2d2edc1529cc02750c3a0fcf17e54ab28a3b
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 19515E71E006069BDB14DFA9C881ABFB7B5EF98304F14853AE405BB381D778A9458BA4
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 00403113 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 134COMMON
                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                control_flow_graph 1119 403113-40313f call 413954 call 402ee1 call 405841 1126 403141-403156 call 401d1b 1119->1126 1127 403158-40315d 1119->1127 1133 4031b9-4031c1 call 403a9c 1126->1133 1129 403167 1127->1129 1130 40315f-403165 1127->1130 1132 40316a-4031a9 call 4032a8 call 408f0a call 4042ad 1129->1132 1130->1132 1144 4031c6-4031e8 call 401ce1 call 405d0b call 4049dd 1132->1144 1145 4031ab-4031b4 call 401d1b 1132->1145 1139 403298 1133->1139 1141 403299-4032a7 1139->1141 1153 40322a-40327f call 401c80 call 402685 call 403a9c 1144->1153 1154 4031ea-403228 call 409569 call 401d7a call 403a9c * 3 1144->1154 1145->1133 1176 403281 call 40c231 1153->1176 1177 403281 call 40bbc9 1153->1177 1154->1141 1169 403284-403297 call 403a9c * 2 1169->1139 1176->1169 1177->1169
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • __EH_prolog.LIBCMT ref: 00403118
                                                                                                                                                                                                                                  • Part of subcall function 00405841: __EH_prolog.LIBCMT ref: 00405846
                                                                                                                                                                                                                                  • Part of subcall function 004049DD: __EH_prolog.LIBCMT ref: 004049E2
                                                                                                                                                                                                                                  • Part of subcall function 00409569: __EH_prolog.LIBCMT ref: 0040956E
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000016.00000002.3317629153.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3317547365.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319610212.000000000041B000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319848544.0000000000420000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319992025.0000000000422000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320051235.0000000000423000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320115346.0000000000427000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_22_2_400000_wjaGPzkDQjpdcbjBR9AwSFKW.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: H_prolog
                                                                                                                                                                                                                                • String ID: Default
                                                                                                                                                                                                                                • API String ID: 3519838083-753088835
                                                                                                                                                                                                                                • Opcode ID: f128adbc8c60b4baaeff554b123c1f0edecf7e5f5aa4d41d76fe55222fded7d1
                                                                                                                                                                                                                                • Instruction ID: 6c236086827897a16f525891fa60e3e62c5941a793998487ad20a929e2e28791
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f128adbc8c60b4baaeff554b123c1f0edecf7e5f5aa4d41d76fe55222fded7d1
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 76516071900609EFCB10EFA5D8859EEBBB8FF08318F00456FE45277291DB38AA05CB14
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 00402F15 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 116COMMON
                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • __EH_prolog.LIBCMT ref: 00402F1A
                                                                                                                                                                                                                                  • Part of subcall function 00403376: __EH_prolog.LIBCMT ref: 0040337B
                                                                                                                                                                                                                                  • Part of subcall function 004034E3: __EH_prolog.LIBCMT ref: 004034E8
                                                                                                                                                                                                                                  • Part of subcall function 0040309D: __EH_prolog.LIBCMT ref: 004030A2
                                                                                                                                                                                                                                  • Part of subcall function 0040309D: ShowWindow.USER32(00414BE4,00000001,000001F4,00000000,?,?,00000000,00000000,00000000,00000000), ref: 004030FB
                                                                                                                                                                                                                                  • Part of subcall function 004131E0: CloseHandle.KERNEL32(00000000,00000000,00403035,?,?,00000000,00000003,?,00000000,?,?,00000000,00000000,00000000), ref: 004131EA
                                                                                                                                                                                                                                  • Part of subcall function 004131E0: GetLastError.KERNEL32(?,00000000,00000000,00000000), ref: 004131F4
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000016.00000002.3317629153.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3317547365.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319610212.000000000041B000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319848544.0000000000420000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319992025.0000000000422000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320051235.0000000000423000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320115346.0000000000427000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_22_2_400000_wjaGPzkDQjpdcbjBR9AwSFKW.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: H_prolog$CloseErrorHandleLastShowWindow
                                                                                                                                                                                                                                • String ID: KA
                                                                                                                                                                                                                                • API String ID: 2740091781-4133974868
                                                                                                                                                                                                                                • Opcode ID: 4e9039a6ef41e593bfbb802c2a04a2fdc835dade45d0606e7df40fddacf7360b
                                                                                                                                                                                                                                • Instruction ID: b66072ba2aa71961cefff889ac2f3310996ab01b533407b8592e0c78779ee57e
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 4e9039a6ef41e593bfbb802c2a04a2fdc835dade45d0606e7df40fddacf7360b
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2F41AF31900249DBCB11EFA5C991AEDBBB8AF14314F1480BFE906B72D2DB385B45CB55
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 00408902 Relevance: 3.1, APIs: 2, Instructions: 85COMMON
                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                control_flow_graph 1228 408902-408925 call 413954 1231 408927-408931 call 403a76 1228->1231 1232 40894b-40894e 1228->1232 1239 408933-40893c 1231->1239 1240 40893e 1231->1240 1234 408950-40895a call 403a76 1232->1234 1235 4089a2-4089b3 call 408524 1232->1235 1246 40897b 1234->1246 1247 40895c-408979 1234->1247 1241 4089b8-4089c2 1235->1241 1243 408940-408949 call 40640d 1239->1243 1240->1243 1244 4089c4-4089c6 1241->1244 1245 4089ca-4089d3 1241->1245 1243->1235 1244->1245 1249 4089d5-4089d7 1245->1249 1250 4089db-4089eb 1245->1250 1251 40897d-408992 call 40640d call 406434 1246->1251 1247->1251 1249->1250 1257 408994-40899a GetLastError 1251->1257 1258 40899c-40899f 1251->1258 1257->1241 1258->1235
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • __EH_prolog.LIBCMT ref: 00408907
                                                                                                                                                                                                                                • GetLastError.KERNEL32(00000001,00000000,?,?,00000000,?,?,00408AEB,?,?,?,?,?,?,?,00000000), ref: 00408994
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000016.00000002.3317629153.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3317547365.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319610212.000000000041B000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319848544.0000000000420000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319992025.0000000000422000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320051235.0000000000423000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320115346.0000000000427000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_22_2_400000_wjaGPzkDQjpdcbjBR9AwSFKW.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ErrorH_prologLast
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1057991267-0
                                                                                                                                                                                                                                • Opcode ID: 3b655691cd2a170c36ef711b3d6cea0560e4eeba85cc05aee82b2e3575fc547f
                                                                                                                                                                                                                                • Instruction ID: a8fc1237ba57e47b0ed65f04e9c7bd5e3c99de29461016f9efabf40ab0132a5b
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3b655691cd2a170c36ef711b3d6cea0560e4eeba85cc05aee82b2e3575fc547f
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 3F3181B19012499FCB10DF95CA859BEBBA0FF04314B14817FE495B72A1CB388D41CB6A
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 004051C8 Relevance: 3.1, APIs: 2, Instructions: 54COMMON
                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                control_flow_graph 1259 4051c8-4051de call 413954 call 405268 1263 4051e3-4051f6 call 40511b 1259->1263 1266 405246-405253 call 4051a4 call 403a9c 1263->1266 1267 4051f8-4051ff call 4051a4 1263->1267 1278 405254 1266->1278 1273 405201-405218 call 4051a4 call 403a9c call 4058cd 1267->1273 1274 405243 1267->1274 1283 40521d-40521f 1273->1283 1274->1266 1280 405256-405263 1278->1280 1284 405221-40522a call 40498d 1283->1284 1285 405239-405241 call 405268 1283->1285 1290 405264-405266 1284->1290 1291 40522c-405237 GetLastError 1284->1291 1285->1263 1290->1280 1291->1278 1291->1285
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • __EH_prolog.LIBCMT ref: 004051CD
                                                                                                                                                                                                                                  • Part of subcall function 0040511B: __EH_prolog.LIBCMT ref: 00405120
                                                                                                                                                                                                                                  • Part of subcall function 004058CD: __EH_prolog.LIBCMT ref: 004058D2
                                                                                                                                                                                                                                • GetLastError.KERNEL32(?,?,?,?,00000003,?,00000000,?,00000000), ref: 0040522C
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000016.00000002.3317629153.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3317547365.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319610212.000000000041B000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319848544.0000000000420000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319992025.0000000000422000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320051235.0000000000423000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320115346.0000000000427000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_22_2_400000_wjaGPzkDQjpdcbjBR9AwSFKW.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: H_prolog$ErrorLast
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 2901101390-0
                                                                                                                                                                                                                                • Opcode ID: d33f8126ed8318c7129a01f11b7322f40edc7a38c1873fe00e643a2a39180484
                                                                                                                                                                                                                                • Instruction ID: 4ca71d6396368880cce983a38ddafe9bc91d36a7a330c4fa26da9ce64be84c4d
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d33f8126ed8318c7129a01f11b7322f40edc7a38c1873fe00e643a2a39180484
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 43114831C00A059ACF14FBA5D4426EFBB70DF51368F1042BFA462771E28B7C1A4ACE19
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 004159F8 Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • HeapCreate.KERNELBASE(00000000,00001000,00000000,00414B62,00000001), ref: 00415A09
                                                                                                                                                                                                                                  • Part of subcall function 004158B0: GetVersionExA.KERNEL32 ref: 004158CF
                                                                                                                                                                                                                                • HeapDestroy.KERNEL32 ref: 00415A48
                                                                                                                                                                                                                                  • Part of subcall function 00415A55: HeapAlloc.KERNEL32(00000000,00000140,00415A31,000003F8), ref: 00415A62
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000016.00000002.3317629153.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3317547365.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319610212.000000000041B000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319848544.0000000000420000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319992025.0000000000422000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320051235.0000000000423000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320115346.0000000000427000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_22_2_400000_wjaGPzkDQjpdcbjBR9AwSFKW.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: Heap$AllocCreateDestroyVersion
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 2507506473-0
                                                                                                                                                                                                                                • Opcode ID: 825b9816dc88181ec874f225c5ca0d214e5516542b2a7945f872998de4828b81
                                                                                                                                                                                                                                • Instruction ID: d610f17f35f819288534aaa08ec9d41b03b5a17a7fe04688d897b1e7918b3c37
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 825b9816dc88181ec874f225c5ca0d214e5516542b2a7945f872998de4828b81
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 00F03070696A01EBDB206B715DCA7E62A949F84799F104637F540C85A0EB7884C19A1D
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 00405ACE Relevance: 3.0, APIs: 2, Instructions: 30COMMON
                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                control_flow_graph 1292 405ace-405af5 SetFilePointer 1293 405b05-405b13 1292->1293 1294 405af7-405aff GetLastError 1292->1294 1296 405b15-405b16 1293->1296 1294->1293 1295 405b01-405b03 1294->1295 1295->1296
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • SetFilePointer.KERNELBASE(?,?,?,?), ref: 00405AE9
                                                                                                                                                                                                                                • GetLastError.KERNEL32(?,?,?,?), ref: 00405AF7
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000016.00000002.3317629153.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3317547365.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319610212.000000000041B000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319848544.0000000000420000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319992025.0000000000422000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320051235.0000000000423000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320115346.0000000000427000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_22_2_400000_wjaGPzkDQjpdcbjBR9AwSFKW.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ErrorFileLastPointer
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 2976181284-0
                                                                                                                                                                                                                                • Opcode ID: 76489df8c25185c5262ec68b9c2ea30a41bcc890bee3aa4ad9f45433592c2f72
                                                                                                                                                                                                                                • Instruction ID: ae3098a1e04470c1e0e5e0b92581544958da7485e9b3b22056b888074196ff7d
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 76489df8c25185c5262ec68b9c2ea30a41bcc890bee3aa4ad9f45433592c2f72
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 89F0B7B4504208EFCB14CF54D9448AE7BF9EF49350B108169F815A7390D731AE00DF69
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 0040BBC9 Relevance: 2.0, APIs: 1, Instructions: 515COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000016.00000002.3317629153.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3317547365.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319610212.000000000041B000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319848544.0000000000420000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319992025.0000000000422000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320051235.0000000000423000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320115346.0000000000427000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_22_2_400000_wjaGPzkDQjpdcbjBR9AwSFKW.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: H_prolog
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 3519838083-0
                                                                                                                                                                                                                                • Opcode ID: e20e68f67df63d5f9e9ba5d17b85cf5a5e4b904928eba79c37a56f5e811e61d3
                                                                                                                                                                                                                                • Instruction ID: 754c2283aee26f26976a66738bb4ef570e525f81dc1fbbef9a6f78583ad2e2a8
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e20e68f67df63d5f9e9ba5d17b85cf5a5e4b904928eba79c37a56f5e811e61d3
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5B325D70904249DFDB10DFA8C584ADEBBB4AF58304F1441AEE855BB3C2CB78AE45CB95
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 0040280D Relevance: 1.9, APIs: 1, Instructions: 384COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • __EH_prolog.LIBCMT ref: 00402812
                                                                                                                                                                                                                                  • Part of subcall function 00402D80: EnterCriticalSection.KERNEL32(?,?,?,004095B9), ref: 00402D85
                                                                                                                                                                                                                                  • Part of subcall function 00402D80: LeaveCriticalSection.KERNEL32(?,?,?,?,004095B9), ref: 00402D8F
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000016.00000002.3317629153.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3317547365.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319610212.000000000041B000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319848544.0000000000420000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319992025.0000000000422000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320051235.0000000000423000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320115346.0000000000427000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_22_2_400000_wjaGPzkDQjpdcbjBR9AwSFKW.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: CriticalSection$EnterH_prologLeave
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 367238759-0
                                                                                                                                                                                                                                • Opcode ID: 71e1dc36bd9d06b7d898947adcd583decfbfe7f4f6cc64154346a2ad7b3dab8a
                                                                                                                                                                                                                                • Instruction ID: 6b86c84e82b28a82bfdc9d9b9477fa58d6923614df4f06b31c284573bb568367
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 71e1dc36bd9d06b7d898947adcd583decfbfe7f4f6cc64154346a2ad7b3dab8a
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 14F1AD30900249DFCF14EFA5C989ADEBBB4AF54318F14806EE445B72E2DB789A45CF19
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 00408A3B Relevance: 1.9, APIs: 1, Instructions: 374COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000016.00000002.3317629153.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3317547365.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319610212.000000000041B000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319848544.0000000000420000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319992025.0000000000422000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320051235.0000000000423000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320115346.0000000000427000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_22_2_400000_wjaGPzkDQjpdcbjBR9AwSFKW.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: H_prolog
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 3519838083-0
                                                                                                                                                                                                                                • Opcode ID: 463f0c4feddd306d7c1a8d70083033d754a2b3fae2b1194d3c8a033132b27601
                                                                                                                                                                                                                                • Instruction ID: 34c7193a5b50bb33ce0ba2a09d23f7b106f418ab12413814a78bbf0ce5505d58
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 463f0c4feddd306d7c1a8d70083033d754a2b3fae2b1194d3c8a033132b27601
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 62E17F70A00249DFCF10DFA4C988AAEBBB4AF58314F2445AEE495F72D1CB389E45CB55
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 0040EA0B Relevance: 1.8, APIs: 1, Instructions: 255COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • __EH_prolog.LIBCMT ref: 0040EA10
                                                                                                                                                                                                                                  • Part of subcall function 0040FA43: __EH_prolog.LIBCMT ref: 0040FA48
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000016.00000002.3317629153.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3317547365.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319610212.000000000041B000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319848544.0000000000420000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319992025.0000000000422000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320051235.0000000000423000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320115346.0000000000427000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_22_2_400000_wjaGPzkDQjpdcbjBR9AwSFKW.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: H_prolog
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 3519838083-0
                                                                                                                                                                                                                                • Opcode ID: d5330e640343d25a8eedcdb33eba9a98cecc4117f45ccf2878744254283c26ce
                                                                                                                                                                                                                                • Instruction ID: 11288496f406677f7bdfcb919023cacd5b8123072d96ac47e6bfd322b071945c
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d5330e640343d25a8eedcdb33eba9a98cecc4117f45ccf2878744254283c26ce
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 38C14770910269DFDB10DFA5C884BDDBBB4BF14308F1080AEE915B72C2CB786A49CB65
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 0040F648 Relevance: 1.7, APIs: 1, Instructions: 200COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000016.00000002.3317629153.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3317547365.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319610212.000000000041B000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319848544.0000000000420000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319992025.0000000000422000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320051235.0000000000423000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320115346.0000000000427000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_22_2_400000_wjaGPzkDQjpdcbjBR9AwSFKW.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: H_prolog
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 3519838083-0
                                                                                                                                                                                                                                • Opcode ID: 1bd80e4fd0229361987f9fd3b275e1f8f365478e336be0a9cb425272782c87b8
                                                                                                                                                                                                                                • Instruction ID: 8e2da863e0ec0aed1c7df7ef9f788bacddda9dad52c8f94b50dff24b72cd6dff
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 1bd80e4fd0229361987f9fd3b275e1f8f365478e336be0a9cb425272782c87b8
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A7814A71E006059BCB24EBA9C481ADEFBB0BF48304F14453EE445B3791DB38A949CB99
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 0040CFAD Relevance: 1.6, APIs: 1, Instructions: 143COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000016.00000002.3317629153.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3317547365.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319610212.000000000041B000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319848544.0000000000420000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319992025.0000000000422000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320051235.0000000000423000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320115346.0000000000427000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_22_2_400000_wjaGPzkDQjpdcbjBR9AwSFKW.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: H_prolog
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 3519838083-0
                                                                                                                                                                                                                                • Opcode ID: 63c8e573d396fc96efa94e1a42408f9b291e1898eda9953334360b92db0a26c8
                                                                                                                                                                                                                                • Instruction ID: 9f9062e63dd4364452e2da1ca70528b8602d2a0ea6fe4ab8d483929f8703c9bd
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 63c8e573d396fc96efa94e1a42408f9b291e1898eda9953334360b92db0a26c8
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 69518C31C04145DBCB15DFA8C884EAA7B71AF45308F1880BBE4157F2D2DA399A4EDB5D
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 0040C783 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000016.00000002.3317629153.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3317547365.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319610212.000000000041B000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319848544.0000000000420000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319992025.0000000000422000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320051235.0000000000423000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320115346.0000000000427000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_22_2_400000_wjaGPzkDQjpdcbjBR9AwSFKW.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: H_prolog
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 3519838083-0
                                                                                                                                                                                                                                • Opcode ID: f15c909000a7bc487a9015a8e9d061d5051666e8d9c8f725cb2d7f58cfb25987
                                                                                                                                                                                                                                • Instruction ID: af1ffdf326ee6b9e8f9f4efb185a7a75328b0af80e7613720a9e9424578e33b6
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f15c909000a7bc487a9015a8e9d061d5051666e8d9c8f725cb2d7f58cfb25987
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A9416D71A00646CFCB24DF58C48496ABBF1FF48314B2486AED096AB392C371ED46CF94
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 0040D1AB Relevance: 1.6, APIs: 1, Instructions: 89COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • __EH_prolog.LIBCMT ref: 0040D1B0
                                                                                                                                                                                                                                  • Part of subcall function 0040F8C3: __EH_prolog.LIBCMT ref: 0040F8C8
                                                                                                                                                                                                                                  • Part of subcall function 0040D2CF: __EH_prolog.LIBCMT ref: 0040D2D4
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000016.00000002.3317629153.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3317547365.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319610212.000000000041B000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319848544.0000000000420000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319992025.0000000000422000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320051235.0000000000423000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320115346.0000000000427000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_22_2_400000_wjaGPzkDQjpdcbjBR9AwSFKW.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: H_prolog
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 3519838083-0
                                                                                                                                                                                                                                • Opcode ID: 580a599ea2fd8de7821de45faa8408fd12c279d3f34bd44459390ae0071a66e9
                                                                                                                                                                                                                                • Instruction ID: 9d10d91046bd1a4dd32f0e664b06ea8990f5f8cc09720d5c411fd584516079ca
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 580a599ea2fd8de7821de45faa8408fd12c279d3f34bd44459390ae0071a66e9
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 83313031901254DBCB11EFA4C6487EDBBB5AF15304F1440AEE8057B382DB78DE49DBA6
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 00413EA3 Relevance: 1.6, APIs: 1, Instructions: 80memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • RtlAllocateHeap.NTDLL(00000000,-0000000F,00000000,?,00000000,00000000,00000000), ref: 00413F8A
                                                                                                                                                                                                                                  • Part of subcall function 0041570A: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,00416FB2,00000009,00000000,00000000,00000001,00415548,00000001,00000074,?,?,00000000,00000001), ref: 00415747
                                                                                                                                                                                                                                  • Part of subcall function 0041570A: EnterCriticalSection.KERNEL32(?,?,?,00416FB2,00000009,00000000,00000000,00000001,00415548,00000001,00000074,?,?,00000000,00000001), ref: 00415762
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000016.00000002.3317629153.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3317547365.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319610212.000000000041B000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319848544.0000000000420000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319992025.0000000000422000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320051235.0000000000423000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320115346.0000000000427000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_22_2_400000_wjaGPzkDQjpdcbjBR9AwSFKW.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: CriticalSection$AllocateEnterHeapInitialize
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1616793339-0
                                                                                                                                                                                                                                • Opcode ID: ba869b70dadc95adccf46eac288c3ec4a3f94eb288c9c5288a46f5d51cb0c97c
                                                                                                                                                                                                                                • Instruction ID: 7c2cfac85a053aeac9454e1c2b35b253285297f11283e44f43d764ba5cf7311f
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ba869b70dadc95adccf46eac288c3ec4a3f94eb288c9c5288a46f5d51cb0c97c
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1A217431E44605EBDB10AFA9DC42BDAB7B4EB01765F10421BF411EB2D0C778AAC28A58
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 00413F9F Relevance: 1.6, APIs: 1, Instructions: 75memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • RtlFreeHeap.NTDLL(00000000,00000000,00000000,?,00000000,?,00416FB2,00000009,00000000,00000000,00000001,00415548,00000001,00000074), ref: 00414073
                                                                                                                                                                                                                                  • Part of subcall function 0041570A: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,00416FB2,00000009,00000000,00000000,00000001,00415548,00000001,00000074,?,?,00000000,00000001), ref: 00415747
                                                                                                                                                                                                                                  • Part of subcall function 0041570A: EnterCriticalSection.KERNEL32(?,?,?,00416FB2,00000009,00000000,00000000,00000001,00415548,00000001,00000074,?,?,00000000,00000001), ref: 00415762
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000016.00000002.3317629153.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3317547365.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319610212.000000000041B000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319848544.0000000000420000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319992025.0000000000422000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320051235.0000000000423000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320115346.0000000000427000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_22_2_400000_wjaGPzkDQjpdcbjBR9AwSFKW.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: CriticalSection$EnterFreeHeapInitialize
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 641406236-0
                                                                                                                                                                                                                                • Opcode ID: d24b5f948fba04bba88b9cd0cdc5eff1b7a8b89ab7c34ea04cbff2048bde7936
                                                                                                                                                                                                                                • Instruction ID: 47133188c5d3e4a4a91398ef735a592283a7fe3b34e77d79aa204ad2d485eaa9
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d24b5f948fba04bba88b9cd0cdc5eff1b7a8b89ab7c34ea04cbff2048bde7936
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8321C572901609EADB20ABA6DC46BDE7B78EF48764F14021BF511B61C0D77C89C18AAD
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 0040A011 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • __EH_prolog.LIBCMT ref: 0040A016
                                                                                                                                                                                                                                  • Part of subcall function 00409C49: __EH_prolog.LIBCMT ref: 00409C4E
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000016.00000002.3317629153.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3317547365.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319610212.000000000041B000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319848544.0000000000420000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319992025.0000000000422000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320051235.0000000000423000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320115346.0000000000427000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_22_2_400000_wjaGPzkDQjpdcbjBR9AwSFKW.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: H_prolog
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 3519838083-0
                                                                                                                                                                                                                                • Opcode ID: a5db852efdc6b67417a23c65be594c4014babbfd4966d5bc1e1ef807a1e39f82
                                                                                                                                                                                                                                • Instruction ID: 1dffea12e82b47f2a36155f0264cd4dada82ecc0bfe076f3ab6191fd12039e28
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a5db852efdc6b67417a23c65be594c4014babbfd4966d5bc1e1ef807a1e39f82
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4C118FB0A01254DADB09EBAAC5153EDFBA69FA1318F14419FA542732D2CBF81B048666
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 004092E9 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • __EH_prolog.LIBCMT ref: 004092EE
                                                                                                                                                                                                                                  • Part of subcall function 00402634: __EH_prolog.LIBCMT ref: 00402639
                                                                                                                                                                                                                                  • Part of subcall function 00405841: __EH_prolog.LIBCMT ref: 00405846
                                                                                                                                                                                                                                  • Part of subcall function 00413D3D: RaiseException.KERNEL32(00000003,00000000,00000003,?,00000003,?,00000003,00000000,00000000,00401055,00000003,?,00000000), ref: 00413D6B
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000016.00000002.3317629153.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3317547365.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319610212.000000000041B000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319848544.0000000000420000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319992025.0000000000422000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320051235.0000000000423000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320115346.0000000000427000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_22_2_400000_wjaGPzkDQjpdcbjBR9AwSFKW.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: H_prolog$ExceptionRaise
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 2062786585-0
                                                                                                                                                                                                                                • Opcode ID: 0f97881bfda5a338648d471f12701516f54a75613031e54e105c5c79c14cffea
                                                                                                                                                                                                                                • Instruction ID: f7fbb3e9a8787d76bf0f9f15101cef5fd9d7ebfa1ebb25f778e30044bb5e9d70
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 0f97881bfda5a338648d471f12701516f54a75613031e54e105c5c79c14cffea
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7B01D6766406049ACB10EF25C451ADEBBB1FF95318F00852FE896632E1CB785649CF54
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 004048B7 Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • SetFileAttributesW.KERNELBASE ref: 004048F1
                                                                                                                                                                                                                                  • Part of subcall function 004048FF: __EH_prolog.LIBCMT ref: 00404904
                                                                                                                                                                                                                                  • Part of subcall function 004048FF: AreFileApisANSI.KERNEL32(?,?,?,?,?,00000000), ref: 00404920
                                                                                                                                                                                                                                  • Part of subcall function 0040489C: SetFileAttributesA.KERNELBASE(?,00000000,00404D1C,?,00000000,0000002A,0000005C,00000003,?,00000000), ref: 0040489E
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000016.00000002.3317629153.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3317547365.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319610212.000000000041B000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319848544.0000000000420000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319992025.0000000000422000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320051235.0000000000423000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320115346.0000000000427000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_22_2_400000_wjaGPzkDQjpdcbjBR9AwSFKW.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: File$Attributes$ApisH_prolog
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 3885834519-0
                                                                                                                                                                                                                                • Opcode ID: 5b715810b1dd674a34631cbecd8c08cc0b37525bd29b6e223b4e60d05e4c896b
                                                                                                                                                                                                                                • Instruction ID: d8abee0b5bf8aaacd3c7805e8248c04f8c14d25ec22198af343fb12e16f398c4
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5b715810b1dd674a34631cbecd8c08cc0b37525bd29b6e223b4e60d05e4c896b
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 76E02B66F002502BC7103BA5AC065DB3B9D9B81314B20C43BA602A3291E9388E44A258
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 0040499C Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • CreateDirectoryW.KERNELBASE(?,00000000,?,?,00000000), ref: 004049D0
                                                                                                                                                                                                                                  • Part of subcall function 004048FF: __EH_prolog.LIBCMT ref: 00404904
                                                                                                                                                                                                                                  • Part of subcall function 004048FF: AreFileApisANSI.KERNEL32(?,?,?,?,?,00000000), ref: 00404920
                                                                                                                                                                                                                                  • Part of subcall function 0040498D: CreateDirectoryA.KERNELBASE(?,00000000,00405228,?,?,?,?,00000003,?,00000000,?,00000000), ref: 00404990
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000016.00000002.3317629153.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3317547365.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319610212.000000000041B000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319848544.0000000000420000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319992025.0000000000422000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320051235.0000000000423000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320115346.0000000000427000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_22_2_400000_wjaGPzkDQjpdcbjBR9AwSFKW.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: CreateDirectory$ApisFileH_prolog
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1021588753-0
                                                                                                                                                                                                                                • Opcode ID: 64b02790250bc5f7a2d9c9dee2bb0ba3baf7154ac0717740dd27b10109941aca
                                                                                                                                                                                                                                • Instruction ID: 2f64d7a75cdf7ff6db5ed191fdbb19fa086d8aebc57dacf92a4c812467fb8a6f
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 64b02790250bc5f7a2d9c9dee2bb0ba3baf7154ac0717740dd27b10109941aca
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 18E0DFA0B002002BCB147B79AC0679E376D4B80218F10867EA652671E1EA7999449608
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 004050AB Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • GetTempFileNameA.KERNELBASE(?,?,00000000,00000003,?,?,00000000,004050FF,?,?,?,00405160,?,?,?,00000003), ref: 004050CE
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000016.00000002.3317629153.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3317547365.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319610212.000000000041B000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319848544.0000000000420000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319992025.0000000000422000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320051235.0000000000423000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320115346.0000000000427000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_22_2_400000_wjaGPzkDQjpdcbjBR9AwSFKW.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: FileNameTemp
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 745986568-0
                                                                                                                                                                                                                                • Opcode ID: b528cc7740eeb1b4bc26185d4807bc948aa73c1e47f21f7391ebf62f515a6cd3
                                                                                                                                                                                                                                • Instruction ID: d5c13e583cf4c34c7a3a11816bb62f42e40da82da4d3cfe63a6d47b8b5213b5b
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: b528cc7740eeb1b4bc26185d4807bc948aa73c1e47f21f7391ebf62f515a6cd3
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 91E086723016106BD71056699C45A4BA7DEDFD8752F15843FB545E3381D6B48C004A78
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 00405D59 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • SysAllocString.OLEAUT32(?), ref: 00405D71
                                                                                                                                                                                                                                  • Part of subcall function 00413D3D: RaiseException.KERNEL32(00000003,00000000,00000003,?,00000003,?,00000003,00000000,00000000,00401055,00000003,?,00000000), ref: 00413D6B
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000016.00000002.3317629153.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3317547365.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319610212.000000000041B000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319848544.0000000000420000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319992025.0000000000422000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320051235.0000000000423000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320115346.0000000000427000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_22_2_400000_wjaGPzkDQjpdcbjBR9AwSFKW.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: AllocExceptionRaiseString
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1415472724-0
                                                                                                                                                                                                                                • Opcode ID: 313272d88e3834385c103984260c6c8c9ca4a4ab5fd4d804f695adf0373ca9e7
                                                                                                                                                                                                                                • Instruction ID: d0734d5c7e5939215d37afae748a6b456316f2180b0855a0f59ce99ff0d6cfc1
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 313272d88e3834385c103984260c6c8c9ca4a4ab5fd4d804f695adf0373ca9e7
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C0E0E572640704A6C7209F65D8559877BE8EF00385B10C43FF548D6150E779E5508BD8
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 004058CD Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • __EH_prolog.LIBCMT ref: 004058D2
                                                                                                                                                                                                                                  • Part of subcall function 00405806: __EH_prolog.LIBCMT ref: 0040580B
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000016.00000002.3317629153.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3317547365.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319610212.000000000041B000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319848544.0000000000420000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319992025.0000000000422000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320051235.0000000000423000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320115346.0000000000427000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_22_2_400000_wjaGPzkDQjpdcbjBR9AwSFKW.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: H_prolog
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 3519838083-0
                                                                                                                                                                                                                                • Opcode ID: 4dbd7d17023fb4ed967e01381c8a8867ec9f7b58b557c0ee91cef2e13e81d9e3
                                                                                                                                                                                                                                • Instruction ID: 5bfd618a99589873673dbdde5608ad138896477ef474a485a6b18cf586c7d2b5
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 4dbd7d17023fb4ed967e01381c8a8867ec9f7b58b557c0ee91cef2e13e81d9e3
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E7E01A72D410049ACB05BB95E9526EDB778EF51319F10403BA412725919B785E18CA58
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 00405C87 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • WriteFile.KERNELBASE(?,?,?,?,00000000), ref: 00405CAA
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000016.00000002.3317629153.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3317547365.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319610212.000000000041B000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319848544.0000000000420000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319992025.0000000000422000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320051235.0000000000423000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320115346.0000000000427000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_22_2_400000_wjaGPzkDQjpdcbjBR9AwSFKW.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: FileWrite
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 3934441357-0
                                                                                                                                                                                                                                • Opcode ID: e8bb3e3f97a2863afff16af0127552a93838812ee23e56086e0288621279a6ee
                                                                                                                                                                                                                                • Instruction ID: 646c0e8b7f70081892c45aa98fa77e415187d9694f298a279afc83584de54578
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e8bb3e3f97a2863afff16af0127552a93838812ee23e56086e0288621279a6ee
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F8E0E575600208FFCB11CF95C801B8E7BF9EB09364F20C069F914AA260D339EA50DF54
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 00405841 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • __EH_prolog.LIBCMT ref: 00405846
                                                                                                                                                                                                                                  • Part of subcall function 004055DE: __EH_prolog.LIBCMT ref: 004055E3
                                                                                                                                                                                                                                  • Part of subcall function 004055DE: FindFirstFileW.KERNELBASE(?,?), ref: 00405611
                                                                                                                                                                                                                                  • Part of subcall function 0040551A: FindClose.KERNELBASE(?,000000FF,0040554B,000000FF), ref: 00405525
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000016.00000002.3317629153.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3317547365.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319610212.000000000041B000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319848544.0000000000420000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319992025.0000000000422000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320051235.0000000000423000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320115346.0000000000427000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_22_2_400000_wjaGPzkDQjpdcbjBR9AwSFKW.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: FindH_prolog$CloseFileFirst
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 2004497850-0
                                                                                                                                                                                                                                • Opcode ID: 220b4cbfc40620496b03372d3826f196b8ab05123004ed9f75f8387d5271fe3c
                                                                                                                                                                                                                                • Instruction ID: b7fde63f1f0c292b4e5d00ec8c3d5d27a79480d2707f186765d0e2b5b752fd38
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 220b4cbfc40620496b03372d3826f196b8ab05123004ed9f75f8387d5271fe3c
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7CE04FB1951506ABCB14DF50CC52AEEB734FB1131CF10421EE021722D08B785648CA28
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 00405806 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • __EH_prolog.LIBCMT ref: 0040580B
                                                                                                                                                                                                                                  • Part of subcall function 0040553A: FindFirstFileA.KERNELBASE(?,?,000000FF), ref: 00405559
                                                                                                                                                                                                                                  • Part of subcall function 0040551A: FindClose.KERNELBASE(?,000000FF,0040554B,000000FF), ref: 00405525
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000016.00000002.3317629153.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3317547365.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319610212.000000000041B000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319848544.0000000000420000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319992025.0000000000422000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320051235.0000000000423000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320115346.0000000000427000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_22_2_400000_wjaGPzkDQjpdcbjBR9AwSFKW.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: Find$CloseFileFirstH_prolog
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 889498515-0
                                                                                                                                                                                                                                • Opcode ID: bc6002362a3e3570d7b7dbbff413248cb0e6e96336b5f812f3c621cb83c14948
                                                                                                                                                                                                                                • Instruction ID: 15a52a3ac40e1f9f01e416ae3406c700f8aec04b6379e90cb97043f6baa550c5
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: bc6002362a3e3570d7b7dbbff413248cb0e6e96336b5f812f3c621cb83c14948
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2AE01AB195150AAACB04DB50CC52AEEB760EB1131CF00421AA421722D0877856488A28
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 0040F8C3 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • __EH_prolog.LIBCMT ref: 0040F8C8
                                                                                                                                                                                                                                  • Part of subcall function 0040F648: __EH_prolog.LIBCMT ref: 0040F64D
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000016.00000002.3317629153.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3317547365.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319610212.000000000041B000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319848544.0000000000420000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319992025.0000000000422000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320051235.0000000000423000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320115346.0000000000427000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_22_2_400000_wjaGPzkDQjpdcbjBR9AwSFKW.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: H_prolog
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 3519838083-0
                                                                                                                                                                                                                                • Opcode ID: fd9f4e5796ff426001010c6032b0bd2709108ec26b7ef45d9eef3846ac2bdd07
                                                                                                                                                                                                                                • Instruction ID: 6b40bdca6a02cd8c303c1b1c800ac92429027f894e9b325ac65d5e69f4ab0667
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: fd9f4e5796ff426001010c6032b0bd2709108ec26b7ef45d9eef3846ac2bdd07
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0CD01272911104EBD711AB49D842BDEBB68EB8135DF10853BF00171550C37D56459569
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 00405B7B Relevance: 1.5, APIs: 1, Instructions: 18fileCOMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • ReadFile.KERNELBASE(000000FF,00000000,?,?,00000000,000000FF,?,00405BC6,00000000,?,00000000,?,00405BEC,00000000,?,00000000), ref: 00405B91
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000016.00000002.3317629153.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3317547365.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319610212.000000000041B000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319848544.0000000000420000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319992025.0000000000422000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320051235.0000000000423000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320115346.0000000000427000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_22_2_400000_wjaGPzkDQjpdcbjBR9AwSFKW.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: FileRead
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 2738559852-0
                                                                                                                                                                                                                                • Opcode ID: a0fa365660526cfbb9cae47ffd537a5a3e67cffdb1018a760807b9850e2f108c
                                                                                                                                                                                                                                • Instruction ID: c5e24743f6b433bb21cc94cc2971fe47eb8403274bd7f90fdb54931116458873
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a0fa365660526cfbb9cae47ffd537a5a3e67cffdb1018a760807b9850e2f108c
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7EE0EC75241208FBCB01CF90CD01FCE7BB9EB49754F208058E90596160D375AA14EB54
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 0040551A Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • FindClose.KERNELBASE(?,000000FF,0040554B,000000FF), ref: 00405525
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000016.00000002.3317629153.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3317547365.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319610212.000000000041B000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319848544.0000000000420000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319992025.0000000000422000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320051235.0000000000423000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320115346.0000000000427000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_22_2_400000_wjaGPzkDQjpdcbjBR9AwSFKW.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: CloseFind
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1863332320-0
                                                                                                                                                                                                                                • Opcode ID: a5f15e60ddec85d8ac06024adb1482cc35c18756887bd61c03bc9ed0d5cb4483
                                                                                                                                                                                                                                • Instruction ID: 986561ebb0227da743eeb2b9ec995cdcc659c9848a972ac8d271436d9e92df52
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a5f15e60ddec85d8ac06024adb1482cc35c18756887bd61c03bc9ed0d5cb4483
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6BD0123150452166CF745E3C7C459C333D99A123B03660BAAF4B4D32E5D3748CC35AD4
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 00405A63 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • FindCloseChangeNotification.KERNELBASE(00000000,?,00405A2C,?,00000000,00000003,?,00000000,?,00000000), ref: 00405A6E
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000016.00000002.3317629153.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3317547365.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319610212.000000000041B000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319848544.0000000000420000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319992025.0000000000422000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320051235.0000000000423000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320115346.0000000000427000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_22_2_400000_wjaGPzkDQjpdcbjBR9AwSFKW.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ChangeCloseFindNotification
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 2591292051-0
                                                                                                                                                                                                                                • Opcode ID: 762bf37c8decbf6063af4facc99c374a5abed3ea2b8a5978318a093aad6de801
                                                                                                                                                                                                                                • Instruction ID: 8a38a6d9813b312501c47e0c29c9a2f8cf12ac5fa7676fc4773f80372e0f1af5
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 762bf37c8decbf6063af4facc99c374a5abed3ea2b8a5978318a093aad6de801
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5CD0C93160462146CA645E3C7C849D737D89A16330325176AF0B5D22E4D3748D875E94
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 00404BDC Relevance: 1.5, APIs: 1, Instructions: 14fileCOMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                  • Part of subcall function 0040489C: SetFileAttributesA.KERNELBASE(?,00000000,00404D1C,?,00000000,0000002A,0000005C,00000003,?,00000000), ref: 0040489E
                                                                                                                                                                                                                                • DeleteFileA.KERNELBASE(?,?,00404DBF,?,00000000,?,?,?,?,?,00000000), ref: 00404BED
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000016.00000002.3317629153.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3317547365.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319610212.000000000041B000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319848544.0000000000420000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319992025.0000000000422000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320051235.0000000000423000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320115346.0000000000427000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_22_2_400000_wjaGPzkDQjpdcbjBR9AwSFKW.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: File$AttributesDelete
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 2910425767-0
                                                                                                                                                                                                                                • Opcode ID: aaa2e24e3cadb2417611b806b2e2b1e55713074da21130e803bc74bd8fb11f06
                                                                                                                                                                                                                                • Instruction ID: 9a45e8f854b003a178289988cc7fc064ae5902da4cc88310474d582750e90668
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: aaa2e24e3cadb2417611b806b2e2b1e55713074da21130e803bc74bd8fb11f06
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0BC08C26209231439A043ABA3805ACB171E0EC122030AC0BBB800A2059CB288DC221DC
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 00405C5A Relevance: 1.5, APIs: 1, Instructions: 9timeCOMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • SetFileTime.KERNELBASE(?,?,?,?,00405C84,00000000,00000000,?,00402E12,?), ref: 00405C68
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000016.00000002.3317629153.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3317547365.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319610212.000000000041B000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319848544.0000000000420000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319992025.0000000000422000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320051235.0000000000423000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320115346.0000000000427000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_22_2_400000_wjaGPzkDQjpdcbjBR9AwSFKW.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: FileTime
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1425588814-0
                                                                                                                                                                                                                                • Opcode ID: c611d48c496a84d7274e6d5b9c1e90c61bae575044892d23a6eff34163934cc8
                                                                                                                                                                                                                                • Instruction ID: 87fe90df0bd66b56430cb58ce5188ab21e49bedd0782b4bf3c7b48ca6ef22eff
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: c611d48c496a84d7274e6d5b9c1e90c61bae575044892d23a6eff34163934cc8
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8EC04C36158105FF8F020F70CC04C5EBFA2EB99711F10C918B269C40B0C7328024EB02
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 0040489C Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • SetFileAttributesA.KERNELBASE(?,00000000,00404D1C,?,00000000,0000002A,0000005C,00000003,?,00000000), ref: 0040489E
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000016.00000002.3317629153.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3317547365.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319610212.000000000041B000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319848544.0000000000420000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319992025.0000000000422000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320051235.0000000000423000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320115346.0000000000427000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_22_2_400000_wjaGPzkDQjpdcbjBR9AwSFKW.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: AttributesFile
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 3188754299-0
                                                                                                                                                                                                                                • Opcode ID: 9ef3a3077910c683e57a22045a29601e29b9581d2df390f15cf492c25b36c35e
                                                                                                                                                                                                                                • Instruction ID: c0231da6564a4fbd22ddd4f059f5cfeb57e5ba4ab4dd36146b68eeddd1056acd
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 9ef3a3077910c683e57a22045a29601e29b9581d2df390f15cf492c25b36c35e
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5BA002A03112059BA6145B315E0AB6F296DEDC9AE1705C56C7412C5060EB29C9505565
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 0040498D Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • CreateDirectoryA.KERNELBASE(?,00000000,00405228,?,?,?,?,00000003,?,00000000,?,00000000), ref: 00404990
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000016.00000002.3317629153.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3317547365.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319610212.000000000041B000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319848544.0000000000420000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319992025.0000000000422000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320051235.0000000000423000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320115346.0000000000427000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_22_2_400000_wjaGPzkDQjpdcbjBR9AwSFKW.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: CreateDirectory
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 4241100979-0
                                                                                                                                                                                                                                • Opcode ID: b19b64997772cde21bab08b79878e27a599263e6d5f620d435ec54b846f4109b
                                                                                                                                                                                                                                • Instruction ID: 18df801fa9cda183c38834b8287032c54ef98b8f5de1dc60049a64e9909c76fe
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: b19b64997772cde21bab08b79878e27a599263e6d5f620d435ec54b846f4109b
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: DCA0223030030283E2200F320E0AB0F280CAF08AC0F00C02C3000C80E0FB28C000008C
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 004070AC Relevance: 1.3, APIs: 1, Instructions: 31COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • LeaveCriticalSection.KERNEL32(?,?,?,?), ref: 004070DD
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000016.00000002.3317629153.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3317547365.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319610212.000000000041B000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319848544.0000000000420000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319992025.0000000000422000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320051235.0000000000423000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320115346.0000000000427000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_22_2_400000_wjaGPzkDQjpdcbjBR9AwSFKW.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: CriticalLeaveSection
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 3988221542-0
                                                                                                                                                                                                                                • Opcode ID: f2ff9836336f67d9ff12deaf62cc92e2eac5b33916cf9d308384194b51d8e0a8
                                                                                                                                                                                                                                • Instruction ID: e1c64c6d5edf12e6328a1e744b201271d318d100f8e499d88b0975d8390c0fb0
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f2ff9836336f67d9ff12deaf62cc92e2eac5b33916cf9d308384194b51d8e0a8
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: AEF0BE32A041849BCF11DFA0C80898A7F61FF55310B0084ABF905A7251C7359C10DF61
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Non-executed Functions

                                                                                                                                                                                                                                Function 00417836 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 100fileCOMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?), ref: 004178A3
                                                                                                                                                                                                                                • GetStdHandle.KERNEL32(000000F4,0041BD2C,00000000,00000000,00000000,?), ref: 00417979
                                                                                                                                                                                                                                • WriteFile.KERNEL32(00000000), ref: 00417980
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000016.00000002.3317629153.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3317547365.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319610212.000000000041B000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319848544.0000000000420000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319992025.0000000000422000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320051235.0000000000423000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320115346.0000000000427000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_22_2_400000_wjaGPzkDQjpdcbjBR9AwSFKW.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: File$HandleModuleNameWrite
                                                                                                                                                                                                                                • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program: $X*B$*B
                                                                                                                                                                                                                                • API String ID: 3784150691-2787626558
                                                                                                                                                                                                                                • Opcode ID: a5ae5b659794e102b2e8aa4557315333f416c08d847f0ab12ced78ba572f4f7a
                                                                                                                                                                                                                                • Instruction ID: 83e6cc08efc147308ddc610541e3e7ace00831554afff49654370310fabd765f
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a5ae5b659794e102b2e8aa4557315333f416c08d847f0ab12ced78ba572f4f7a
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6E310472A00218AFEF20E660DD45FDA737DEB45344F5000ABF544D6140EBBCAAC58BAD
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 00418320 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 50libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • LoadLibraryA.KERNEL32(user32.dll,?,00000000,00000000,0041795A,?,Microsoft Visual C++ Runtime Library,00012010,?,0041BD2C,?,0041BD7C,?,?,?,Runtime Error!Program: ), ref: 00418332
                                                                                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 0041834A
                                                                                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 0041835B
                                                                                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 00418368
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000016.00000002.3317629153.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3317547365.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319610212.000000000041B000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319848544.0000000000420000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319992025.0000000000422000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320051235.0000000000423000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320115346.0000000000427000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_22_2_400000_wjaGPzkDQjpdcbjBR9AwSFKW.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: AddressProc$LibraryLoad
                                                                                                                                                                                                                                • String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
                                                                                                                                                                                                                                • API String ID: 2238633743-4044615076
                                                                                                                                                                                                                                • Opcode ID: 3f0a24d6d85b05054a3dd2e72677b881a91c1b783ec14cf3ede4e9bf1f2578f7
                                                                                                                                                                                                                                • Instruction ID: e87ed1bb16eb8be6f8b96595097180185a60ce52c98033cfd4ddfb8cddd90555
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3f0a24d6d85b05054a3dd2e72677b881a91c1b783ec14cf3ede4e9bf1f2578f7
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C50179713002057F87209FB59C80A9B7AF4EB44B45318003EB558C3251DB6DCFC29BE9
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 0041881D Relevance: 13.7, APIs: 9, Instructions: 177COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • LCMapStringW.KERNEL32(00000000,00000100,0041BDF8,00000001,00000000,00000000,74DEE860,004256C4,?,?,?,004186BE,?,?,?,00000000), ref: 0041885F
                                                                                                                                                                                                                                • LCMapStringA.KERNEL32(00000000,00000100,0041BDF4,00000001,00000000,00000000,?,?,004186BE,?,?,?,00000000,00000001), ref: 0041887B
                                                                                                                                                                                                                                • LCMapStringA.KERNEL32(?,?,?,004186BE,?,?,74DEE860,004256C4,?,?,?,004186BE,?,?,?,00000000), ref: 004188C4
                                                                                                                                                                                                                                • MultiByteToWideChar.KERNEL32(?,004256C5,?,004186BE,00000000,00000000,74DEE860,004256C4,?,?,?,004186BE,?,?,?,00000000), ref: 004188FC
                                                                                                                                                                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000001,?,004186BE,?,00000000,?,?,004186BE,?), ref: 00418954
                                                                                                                                                                                                                                • LCMapStringW.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,004186BE,?), ref: 0041896A
                                                                                                                                                                                                                                • LCMapStringW.KERNEL32(?,?,?,00000000,?,?,?,?,004186BE,?), ref: 0041899D
                                                                                                                                                                                                                                • LCMapStringW.KERNEL32(?,?,?,?,?,00000000,?,?,004186BE,?), ref: 00418A05
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000016.00000002.3317629153.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3317547365.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319610212.000000000041B000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319848544.0000000000420000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319992025.0000000000422000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320051235.0000000000423000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320115346.0000000000427000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_22_2_400000_wjaGPzkDQjpdcbjBR9AwSFKW.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: String$ByteCharMultiWide
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 352835431-0
                                                                                                                                                                                                                                • Opcode ID: 7893c33c6b407451d02d995758827eecb7b20065fa294207cf6247e34bc0c6e9
                                                                                                                                                                                                                                • Instruction ID: 3960beb12fca16cbc5043acf4b8975ab8d8a6698fa07e30ad5f7fd63c5f4fb56
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7893c33c6b407451d02d995758827eecb7b20065fa294207cf6247e34bc0c6e9
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 14517B71900209EFCF228F95CC45AEF7FB5FF48794F10452AF918A1260C7398991DBAA
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 0041750F Relevance: 12.1, APIs: 8, Instructions: 132COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,00414B9A), ref: 0041752A
                                                                                                                                                                                                                                • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,00414B9A), ref: 0041753E
                                                                                                                                                                                                                                • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,00414B9A), ref: 0041756A
                                                                                                                                                                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00414B9A), ref: 004175A2
                                                                                                                                                                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00414B9A), ref: 004175C4
                                                                                                                                                                                                                                • FreeEnvironmentStringsW.KERNEL32(00000000,?,00000000,?,?,?,?,00414B9A), ref: 004175DD
                                                                                                                                                                                                                                • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,00414B9A), ref: 004175F0
                                                                                                                                                                                                                                • FreeEnvironmentStringsA.KERNEL32(00000000), ref: 0041762E
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000016.00000002.3317629153.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3317547365.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319610212.000000000041B000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319848544.0000000000420000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319992025.0000000000422000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320051235.0000000000423000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320115346.0000000000427000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_22_2_400000_wjaGPzkDQjpdcbjBR9AwSFKW.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: EnvironmentStrings$ByteCharFreeMultiWide
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1823725401-0
                                                                                                                                                                                                                                • Opcode ID: da4329af8d6592d056d9235971ceaca8771b6712013f4c601b47c126e69dc7f4
                                                                                                                                                                                                                                • Instruction ID: 0d29547afa55ef8e208fbe3ff43deda8167c9cf171b961166aceb77faed46397
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: da4329af8d6592d056d9235971ceaca8771b6712013f4c601b47c126e69dc7f4
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4A31ADB250D3157ED7207F799C848FBBABDEA49368B11053BF555C3200EA298DC286AD
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 00418A6C Relevance: 9.1, APIs: 6, Instructions: 117COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • GetStringTypeW.KERNEL32(00000001,0041BDF8,00000001,?,74DEE860,004256C4,?,?,004186BE,?,?,?,00000000,00000001), ref: 00418AAB
                                                                                                                                                                                                                                • GetStringTypeA.KERNEL32(00000000,00000001,0041BDF4,00000001,?,?,004186BE,?,?,?,00000000,00000001), ref: 00418AC5
                                                                                                                                                                                                                                • GetStringTypeA.KERNEL32(?,?,?,?,004186BE,74DEE860,004256C4,?,?,004186BE,?,?,?,00000000,00000001), ref: 00418AF9
                                                                                                                                                                                                                                • MultiByteToWideChar.KERNEL32(?,004256C5,?,?,00000000,00000000,74DEE860,004256C4,?,?,004186BE,?,?,?,00000000,00000001), ref: 00418B31
                                                                                                                                                                                                                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?,?,?,?,?,004186BE,?), ref: 00418B87
                                                                                                                                                                                                                                • GetStringTypeW.KERNEL32(?,?,00000000,004186BE,?,?,?,?,?,?,004186BE,?), ref: 00418B99
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000016.00000002.3317629153.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3317547365.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319610212.000000000041B000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319848544.0000000000420000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319992025.0000000000422000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320051235.0000000000423000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320115346.0000000000427000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_22_2_400000_wjaGPzkDQjpdcbjBR9AwSFKW.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: StringType$ByteCharMultiWide
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 3852931651-0
                                                                                                                                                                                                                                • Opcode ID: 3d6b6e16685600d833415d128f0286c3ce565afe4e7b6c7271f7b5a09b5fc09b
                                                                                                                                                                                                                                • Instruction ID: e288f18e772608454304c6360a88be647065f5ca3cb36798b5d5ed4d75a3f5a0
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3d6b6e16685600d833415d128f0286c3ce565afe4e7b6c7271f7b5a09b5fc09b
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B0416DB2600219BFCF208F94DC86EEF7F79EB08794F10442AF915D2250D7389991CBA8
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 004158B0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 115COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • GetVersionExA.KERNEL32 ref: 004158CF
                                                                                                                                                                                                                                • GetEnvironmentVariableA.KERNEL32(__MSVCRT_HEAP_SELECT,?,00001090), ref: 00415904
                                                                                                                                                                                                                                • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00415964
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000016.00000002.3317629153.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3317547365.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319610212.000000000041B000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319848544.0000000000420000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319992025.0000000000422000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320051235.0000000000423000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320115346.0000000000427000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_22_2_400000_wjaGPzkDQjpdcbjBR9AwSFKW.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: EnvironmentFileModuleNameVariableVersion
                                                                                                                                                                                                                                • String ID: __GLOBAL_HEAP_SELECTED$__MSVCRT_HEAP_SELECT
                                                                                                                                                                                                                                • API String ID: 1385375860-4131005785
                                                                                                                                                                                                                                • Opcode ID: a0a65974b78899c378749041d22a9f94542c4ef0915f209cf1eaea54d79fba9d
                                                                                                                                                                                                                                • Instruction ID: 007b09a40ac423c1d447adb87a92c2e34be193f5817f586218815b66d4303cb2
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a0a65974b78899c378749041d22a9f94542c4ef0915f209cf1eaea54d79fba9d
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 403177F1961648EDEF3196709C82BDF3B78DB46324F2400DBD185D6242E6388EC68B1B
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 00417641 Relevance: 7.6, APIs: 5, Instructions: 150COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • GetStartupInfoA.KERNEL32(?), ref: 0041769F
                                                                                                                                                                                                                                • GetFileType.KERNEL32(?,?,00000000), ref: 0041774A
                                                                                                                                                                                                                                • GetStdHandle.KERNEL32(-000000F6,?,00000000), ref: 004177AD
                                                                                                                                                                                                                                • GetFileType.KERNEL32(00000000,?,00000000), ref: 004177BB
                                                                                                                                                                                                                                • SetHandleCount.KERNEL32 ref: 004177F2
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000016.00000002.3317629153.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3317547365.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319610212.000000000041B000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319848544.0000000000420000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319992025.0000000000422000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320051235.0000000000423000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320115346.0000000000427000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_22_2_400000_wjaGPzkDQjpdcbjBR9AwSFKW.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: FileHandleType$CountInfoStartup
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1710529072-0
                                                                                                                                                                                                                                • Opcode ID: 8c6679148f64bb77278d6d77b9368511d7cfe70b0cd8573ea2dfe0e7b80ae48f
                                                                                                                                                                                                                                • Instruction ID: 1521dec5194d53324a877df202082dadc936f581ec6971422c000dc394b087b4
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8c6679148f64bb77278d6d77b9368511d7cfe70b0cd8573ea2dfe0e7b80ae48f
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 39510B716086458FC7208B28D8847A67BB0FB11378F65866ED5B2C72E0D738A886C759
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 00403AA7 Relevance: 7.6, APIs: 5, Instructions: 57COMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • CharUpperW.USER32(00000000,00000000,?,00000000,00000000,?,00403B6F), ref: 00403AC2
                                                                                                                                                                                                                                • GetLastError.KERNEL32(?,00000000,00000000,?,00403B6F), ref: 00403ACE
                                                                                                                                                                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,?,00000004,00000000,00000000,?,00000000,00000000,?,00403B6F), ref: 00403AE9
                                                                                                                                                                                                                                • CharUpperA.USER32(?,?,00000000,00000000,?,00403B6F), ref: 00403B02
                                                                                                                                                                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,?,00000001,?,00000000,00000000,?,00403B6F), ref: 00403B15
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000016.00000002.3317629153.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3317547365.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319610212.000000000041B000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319848544.0000000000420000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319992025.0000000000422000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320051235.0000000000423000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320115346.0000000000427000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_22_2_400000_wjaGPzkDQjpdcbjBR9AwSFKW.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: Char$ByteMultiUpperWide$ErrorLast
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 3939315453-0
                                                                                                                                                                                                                                • Opcode ID: 209c94fe8e33f847f2405d3a9712247a1b8bb9216b5908a8917fe0bd7a80c077
                                                                                                                                                                                                                                • Instruction ID: 0842cb939f6927aecb542cd9758d214692c03acffe84293a02396fd76ee0080f
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 209c94fe8e33f847f2405d3a9712247a1b8bb9216b5908a8917fe0bd7a80c077
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B30144B65001197ADB20ABE49CC9DEBBA7CDB08259F414572F942A3281E3756E4487B8
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 00415523 Relevance: 7.5, APIs: 5, Instructions: 38threadCOMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • GetLastError.KERNEL32(00000103,7FFFFFFF,00416EEF,00417BBE,00000000,?,?,00000000,00000001), ref: 00415525
                                                                                                                                                                                                                                • TlsGetValue.KERNEL32(?,?,00000000,00000001), ref: 00415533
                                                                                                                                                                                                                                • SetLastError.KERNEL32(00000000,?,?,00000000,00000001), ref: 0041557F
                                                                                                                                                                                                                                  • Part of subcall function 00416EFC: HeapAlloc.KERNEL32(00000008,?,00000000,00000000,00000001,00415548,00000001,00000074,?,?,00000000,00000001), ref: 00416FF2
                                                                                                                                                                                                                                • TlsSetValue.KERNEL32(00000000,?,?,00000000,00000001), ref: 00415557
                                                                                                                                                                                                                                • GetCurrentThreadId.KERNEL32 ref: 00415568
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000016.00000002.3317629153.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3317547365.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319610212.000000000041B000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319848544.0000000000420000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319992025.0000000000422000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320051235.0000000000423000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320115346.0000000000427000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_22_2_400000_wjaGPzkDQjpdcbjBR9AwSFKW.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ErrorLastValue$AllocCurrentHeapThread
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 2020098873-0
                                                                                                                                                                                                                                • Opcode ID: 86968800811f432393852c2012b1ac292949c56105930e45964c9f1db916a728
                                                                                                                                                                                                                                • Instruction ID: cede6b9146d9eee740ee2dfbc4b23865fcca372efd47330e9e203dd76af2c63a
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 86968800811f432393852c2012b1ac292949c56105930e45964c9f1db916a728
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 09F09635A01611BBC7312B74AC096DB3E62EB857A1B51413AF551962A4DB28888196EC
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 00417E3A Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 143COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                  • Part of subcall function 0041570A: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,00416FB2,00000009,00000000,00000000,00000001,00415548,00000001,00000074,?,?,00000000,00000001), ref: 00415747
                                                                                                                                                                                                                                  • Part of subcall function 0041570A: EnterCriticalSection.KERNEL32(?,?,?,00416FB2,00000009,00000000,00000000,00000001,00415548,00000001,00000074,?,?,00000000,00000001), ref: 00415762
                                                                                                                                                                                                                                • GetCPInfo.KERNEL32(00000000,?,?,00000000,00000000,?,?,00414BA4), ref: 00417E8B
                                                                                                                                                                                                                                  • Part of subcall function 0041576B: LeaveCriticalSection.KERNEL32(?,00413F70,00000009,00413F5C,00000000,?,00000000,00000000,00000000), ref: 00415778
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000016.00000002.3317629153.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3317547365.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319610212.000000000041B000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319848544.0000000000420000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319992025.0000000000422000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320051235.0000000000423000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320115346.0000000000427000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_22_2_400000_wjaGPzkDQjpdcbjBR9AwSFKW.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: CriticalSection$EnterInfoInitializeLeave
                                                                                                                                                                                                                                • String ID: +B$WB$WB
                                                                                                                                                                                                                                • API String ID: 1866836854-4076192905
                                                                                                                                                                                                                                • Opcode ID: ee95e9d0b24a19a0cc788d9683df54c17a7a80f6c3da06404699baeb333cbe61
                                                                                                                                                                                                                                • Instruction ID: 91cfe2518806d3d9ee68befd2fe7c4d9c34af4d87c59522c175cbc6726151178
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ee95e9d0b24a19a0cc788d9683df54c17a7a80f6c3da06404699baeb333cbe61
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: FC41243164C654AEE720DB24D8853EB7BF1AB05314FB4406BE5488B291CABD49C7C74C
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 0041458F Relevance: 6.5, APIs: 5, Instructions: 278COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000016.00000002.3317629153.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3317547365.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319610212.000000000041B000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319848544.0000000000420000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319992025.0000000000422000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320051235.0000000000423000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320115346.0000000000427000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_22_2_400000_wjaGPzkDQjpdcbjBR9AwSFKW.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 97048a31ed7e8673145bc5a0b9288faae4c75299d979c6b38067687c3c285a89
                                                                                                                                                                                                                                • Instruction ID: b0a20c71c01645f6642c62949d543ab21d76ee58160ce25a59b39075e73dd19d
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 97048a31ed7e8673145bc5a0b9288faae4c75299d979c6b38067687c3c285a89
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4691E671D01514ABCB21AB69DC85ADEBBB4EFC5764F240227F818B62D0D7398DC1CA6C
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 0041659C Relevance: 6.4, APIs: 5, Instructions: 102memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • HeapAlloc.KERNEL32(00000000,00002020,00420818,00420818,?,?,00416A68,00000000,00000010,00000000,00000009,00000009,?,00413F4F,00000010,00000000), ref: 004165BD
                                                                                                                                                                                                                                • VirtualAlloc.KERNEL32(00000000,00400000,00002000,00000004,?,?,00416A68,00000000,00000010,00000000,00000009,00000009,?,00413F4F,00000010,00000000), ref: 004165E1
                                                                                                                                                                                                                                • VirtualAlloc.KERNEL32(00000000,00010000,00001000,00000004,?,?,00416A68,00000000,00000010,00000000,00000009,00000009,?,00413F4F,00000010,00000000), ref: 004165FB
                                                                                                                                                                                                                                • VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,00416A68,00000000,00000010,00000000,00000009,00000009,?,00413F4F,00000010,00000000,?), ref: 004166BC
                                                                                                                                                                                                                                • HeapFree.KERNEL32(00000000,00000000,?,?,00416A68,00000000,00000010,00000000,00000009,00000009,?,00413F4F,00000010,00000000,?,00000000), ref: 004166D3
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000016.00000002.3317629153.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3317547365.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319610212.000000000041B000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319848544.0000000000420000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319992025.0000000000422000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320051235.0000000000423000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320115346.0000000000427000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_22_2_400000_wjaGPzkDQjpdcbjBR9AwSFKW.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: AllocVirtual$FreeHeap
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 714016831-0
                                                                                                                                                                                                                                • Opcode ID: 3cebd7198669312bdcb80342c8511f4e4e3300f6cdfd7be81cbf94ce20f50e4e
                                                                                                                                                                                                                                • Instruction ID: 0af9858cac0a30669fb94f5f64461d90f8de944a7195c69e4f59e8ed45fdce2d
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3cebd7198669312bdcb80342c8511f4e4e3300f6cdfd7be81cbf94ce20f50e4e
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 983101B0700705EBD3309F24EC45BA2BBE4EB44794F12823AE55597791E778E8818BCC
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 00409787 Relevance: 6.1, APIs: 4, Instructions: 98COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • __EH_prolog.LIBCMT ref: 0040978C
                                                                                                                                                                                                                                  • Part of subcall function 004095DD: EnterCriticalSection.KERNEL32(?,?,?,00409903), ref: 004095E2
                                                                                                                                                                                                                                  • Part of subcall function 004095DD: LeaveCriticalSection.KERNEL32(?,?,?,00409903), ref: 004095EC
                                                                                                                                                                                                                                • EnterCriticalSection.KERNEL32(?), ref: 004097B9
                                                                                                                                                                                                                                • LeaveCriticalSection.KERNEL32(?), ref: 004097D5
                                                                                                                                                                                                                                • __aulldiv.LIBCMT ref: 00409824
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000016.00000002.3317629153.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3317547365.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319610212.000000000041B000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319848544.0000000000420000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319992025.0000000000422000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320051235.0000000000423000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320115346.0000000000427000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_22_2_400000_wjaGPzkDQjpdcbjBR9AwSFKW.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: CriticalSection$EnterLeave$H_prolog__aulldiv
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 3848147900-0
                                                                                                                                                                                                                                • Opcode ID: 985cff57d02d2bbd00f179e979cdbab89758c627aa779ce2aa11222f2ed784f0
                                                                                                                                                                                                                                • Instruction ID: 0a470d0c852558693c62499fef9fcf54cb9603282822d0262474d13d459b1607
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 985cff57d02d2bbd00f179e979cdbab89758c627aa779ce2aa11222f2ed784f0
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D2316076A00219AFCB10EFA1C881AEFBBB5FF48314F00442EE10573692CB79AD45CB64
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 004095F7 Relevance: 6.0, APIs: 4, Instructions: 37windowtimeCOMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                  • Part of subcall function 00413260: SetEvent.KERNEL32(00000000,00407649), ref: 00413263
                                                                                                                                                                                                                                • GetDlgItem.USER32(?,000003E8), ref: 0040961A
                                                                                                                                                                                                                                • LoadIconA.USER32(00000000), ref: 00409634
                                                                                                                                                                                                                                • SendMessageA.USER32(?,00000080,00000001,00000000), ref: 00409645
                                                                                                                                                                                                                                • SetTimer.USER32(?,00000003,00000064,00000000), ref: 00409654
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000016.00000002.3317629153.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3317547365.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319610212.000000000041B000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319848544.0000000000420000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319992025.0000000000422000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320051235.0000000000423000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320115346.0000000000427000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_22_2_400000_wjaGPzkDQjpdcbjBR9AwSFKW.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: EventIconItemLoadMessageSendTimer
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 2758541657-0
                                                                                                                                                                                                                                • Opcode ID: a2a1fe83cc9e0c6555ab30a5ba5d34d7e9637e7b1c96707fcad98147a719e390
                                                                                                                                                                                                                                • Instruction ID: 551790b6ae67963d7c94afa5d69916b6b09ae611f895d6b9f891aac7cfc7161a
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a2a1fe83cc9e0c6555ab30a5ba5d34d7e9637e7b1c96707fcad98147a719e390
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: AF010830140B00AFD7219B21DD5AB66BBA1BF04721F008B2DE9A7959E0CB76B951CB48
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 0040483F Relevance: 6.0, APIs: 4, Instructions: 36filetimeCOMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • SetLastError.KERNEL32(00000078,0041B370,00000000,00402AAF,00000000,?,?,?,?), ref: 0040484F
                                                                                                                                                                                                                                • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,0041B370,00000000,00402AAF,00000000,?,?,?,?), ref: 0040486B
                                                                                                                                                                                                                                • SetFileTime.KERNEL32(00000000,00000000,?,?,?,40000000,00000003,00000000,00000003,02000000,00000000,?,0041B370,00000000,00402AAF,00000000), ref: 00404882
                                                                                                                                                                                                                                • CloseHandle.KERNEL32(00000000,?,40000000,00000003,00000000,00000003,02000000,00000000,?,0041B370,00000000,00402AAF,00000000,?,?,?), ref: 0040488E
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000016.00000002.3317629153.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3317547365.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319610212.000000000041B000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319848544.0000000000420000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319992025.0000000000422000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320051235.0000000000423000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320115346.0000000000427000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_22_2_400000_wjaGPzkDQjpdcbjBR9AwSFKW.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: File$CloseCreateErrorHandleLastTime
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 2291555494-0
                                                                                                                                                                                                                                • Opcode ID: ff746e65f9cee30ffc8bafec341a8eb05b102094c88bf525f6141f2248b114e2
                                                                                                                                                                                                                                • Instruction ID: 64467d0e5ceda328e6e32eae128236dd02d513a4ef1926b956b8d25c0d97de23
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ff746e65f9cee30ffc8bafec341a8eb05b102094c88bf525f6141f2248b114e2
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B4F0E2762803507BE2302B60AC48F9B6E5CDBC9B25F108535B2A5A20E0C2294D1992B8
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 0040D7CC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 185COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000016.00000002.3317629153.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3317547365.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319610212.000000000041B000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319848544.0000000000420000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319992025.0000000000422000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320051235.0000000000423000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320115346.0000000000427000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_22_2_400000_wjaGPzkDQjpdcbjBR9AwSFKW.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: H_prolog
                                                                                                                                                                                                                                • String ID: $
                                                                                                                                                                                                                                • API String ID: 3519838083-227171996
                                                                                                                                                                                                                                • Opcode ID: f310208c7012b047481696f3de0866f141f831578990e3312a3a639e5dd044ff
                                                                                                                                                                                                                                • Instruction ID: b608afa5533618173c50a936dd0dc92eebd328cd23ff399218f1dfb4b0bc6294
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f310208c7012b047481696f3de0866f141f831578990e3312a3a639e5dd044ff
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6A713571E0020A9FCB24DF99D481AAEB7B1FF48314F10457ED416B7691D734AA8ACF54
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 00403D5A Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 152COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • __EH_prolog.LIBCMT ref: 00403D5F
                                                                                                                                                                                                                                  • Part of subcall function 00403F3C: __EH_prolog.LIBCMT ref: 00403F41
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000016.00000002.3317629153.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3317547365.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319610212.000000000041B000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319848544.0000000000420000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319992025.0000000000422000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320051235.0000000000423000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320115346.0000000000427000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_22_2_400000_wjaGPzkDQjpdcbjBR9AwSFKW.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: H_prolog
                                                                                                                                                                                                                                • String ID: > @$KA
                                                                                                                                                                                                                                • API String ID: 3519838083-301980584
                                                                                                                                                                                                                                • Opcode ID: f9624756dcd051103a0faf5414ab264e1043146aad46313972ce47ae36e47b30
                                                                                                                                                                                                                                • Instruction ID: 0797aa4f2666763f951e0621ef07ec53320c6840b80f95fc9e8c0876c74f2843
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f9624756dcd051103a0faf5414ab264e1043146aad46313972ce47ae36e47b30
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 27517D30D0020A9ACF15EF95C855AEEBF7AAF5430AF10452FE452372D2DB795B06CB89
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 0041808D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • GetCPInfo.KERNEL32(?,00000000), ref: 004180A1
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000016.00000002.3317629153.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3317547365.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319610212.000000000041B000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319848544.0000000000420000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319992025.0000000000422000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320051235.0000000000423000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320115346.0000000000427000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_22_2_400000_wjaGPzkDQjpdcbjBR9AwSFKW.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: Info
                                                                                                                                                                                                                                • String ID: $
                                                                                                                                                                                                                                • API String ID: 1807457897-3032137957
                                                                                                                                                                                                                                • Opcode ID: 8b363f32da595bfb59a3e5cf7fceda2159d83bff833a4ab1ae99a185f1cff2df
                                                                                                                                                                                                                                • Instruction ID: d0f9309d8466ab513fef0fe96190925d4c3a9a36aebfd3e00fd14af349a29a6b
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8b363f32da595bfb59a3e5cf7fceda2159d83bff833a4ab1ae99a185f1cff2df
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 18417C322046586EEB22DB14CC4DFFB7FA8DB06700F9400EAD549C7162CA794985CBAA
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 00405F5E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • __EH_prolog.LIBCMT ref: 00405F63
                                                                                                                                                                                                                                • LoadStringW.USER32(KA,?,?,00000000), ref: 00405FBC
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000016.00000002.3317629153.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3317547365.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319610212.000000000041B000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319848544.0000000000420000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319992025.0000000000422000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320051235.0000000000423000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320115346.0000000000427000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_22_2_400000_wjaGPzkDQjpdcbjBR9AwSFKW.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: H_prologLoadString
                                                                                                                                                                                                                                • String ID: KA
                                                                                                                                                                                                                                • API String ID: 385046869-4133974868
                                                                                                                                                                                                                                • Opcode ID: e6db0625694eca8672df4367e77b25990e3c0bbb9f4bdb8bdb41469bebcffd79
                                                                                                                                                                                                                                • Instruction ID: f8b33de4bb70f64bdff40eb498b0250b344fd9cf2a6d880d3b442eae3703c9f6
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e6db0625694eca8672df4367e77b25990e3c0bbb9f4bdb8bdb41469bebcffd79
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B8212771D0011A9BCB05EFA1C9919EEBBB5FF08308F10407AE106B6291DB794E40CB98
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 00405EBC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • __EH_prolog.LIBCMT ref: 00405EC1
                                                                                                                                                                                                                                • LoadStringA.USER32(KA,?,?,00000000), ref: 00405F12
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000016.00000002.3317629153.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3317547365.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319610212.000000000041B000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319848544.0000000000420000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319992025.0000000000422000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320051235.0000000000423000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320115346.0000000000427000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_22_2_400000_wjaGPzkDQjpdcbjBR9AwSFKW.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: H_prologLoadString
                                                                                                                                                                                                                                • String ID: KA
                                                                                                                                                                                                                                • API String ID: 385046869-4133974868
                                                                                                                                                                                                                                • Opcode ID: 65d677eaf710bde40107d5e97ee8b2feebca7ae19d827cde6303db2279eeba92
                                                                                                                                                                                                                                • Instruction ID: 682fdee239e6c4724d42c8af7adc4720fc3e2d38c4520a7b7ac2604701000241
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 65d677eaf710bde40107d5e97ee8b2feebca7ae19d827cde6303db2279eeba92
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6C1126B1D011199ACB06EFA5C9959EEBBB4FF18304F50447EE445B3291DB7A5E00CBA4
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 004160FA Relevance: 5.1, APIs: 4, Instructions: 53memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • HeapReAlloc.KERNEL32(00000000,00000050,00000000,00000000,00415EC2,00000000,00000000,00000000,00413EF1,00000000,00000000,?,00000000,00000000,00000000), ref: 00416122
                                                                                                                                                                                                                                • HeapAlloc.KERNEL32(00000008,000041C4,00000000,00000000,00415EC2,00000000,00000000,00000000,00413EF1,00000000,00000000,?,00000000,00000000,00000000), ref: 00416156
                                                                                                                                                                                                                                • VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004), ref: 00416170
                                                                                                                                                                                                                                • HeapFree.KERNEL32(00000000,?), ref: 00416187
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000016.00000002.3317629153.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3317547365.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319610212.000000000041B000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319848544.0000000000420000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319992025.0000000000422000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320051235.0000000000423000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320115346.0000000000427000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_22_2_400000_wjaGPzkDQjpdcbjBR9AwSFKW.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: AllocHeap$FreeVirtual
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 3499195154-0
                                                                                                                                                                                                                                • Opcode ID: b9288557613d4b1507cb107ac5399481b8ee784b68c3247b56fc213fdecf1f33
                                                                                                                                                                                                                                • Instruction ID: c92a38fae87bb937ac208a7a453d8678043178d73965b4d0b203d58dccefea2c
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: b9288557613d4b1507cb107ac5399481b8ee784b68c3247b56fc213fdecf1f33
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 98112B31300B01BFC7318F29EC869567BB5FB49764791862AF151C65B0C7709842CF48
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 004156E1 Relevance: 5.0, APIs: 4, Instructions: 12COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • InitializeCriticalSection.KERNEL32(?,004154C2,?,00414B74), ref: 004156EE
                                                                                                                                                                                                                                • InitializeCriticalSection.KERNEL32(?,004154C2,?,00414B74), ref: 004156F6
                                                                                                                                                                                                                                • InitializeCriticalSection.KERNEL32(?,004154C2,?,00414B74), ref: 004156FE
                                                                                                                                                                                                                                • InitializeCriticalSection.KERNEL32(?,004154C2,?,00414B74), ref: 00415706
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000016.00000002.3317629153.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3317547365.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319610212.000000000041B000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319848544.0000000000420000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3319992025.0000000000422000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320051235.0000000000423000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000016.00000002.3320115346.0000000000427000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_22_2_400000_wjaGPzkDQjpdcbjBR9AwSFKW.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: CriticalInitializeSection
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 32694325-0
                                                                                                                                                                                                                                • Opcode ID: 9da826fcb73db9b2f0886f92194b085cad0f2cdeae026ac3c84f39be76329a94
                                                                                                                                                                                                                                • Instruction ID: 9a5a21d657ffcc76f5c3c67f011d6e28d8344b300781f1748fbef07cd2b7b2eb
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 9da826fcb73db9b2f0886f92194b085cad0f2cdeae026ac3c84f39be76329a94
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: CCC00231A05138ABCB712B65FC048563FB5EB882A03558077A1045203186612C12EFD8
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%